[Dovecot] Dovecot LDA and address extensions - folders flood
Charles Marcus
CMarcus at Media-Brokers.com
Wed Jan 11 21:25:24 EET 2012
On 2012-01-11 2:05 PM, huret deffgok wrote:
> On Wed, Jan 11, 2012 at 7:04 PM, Charles Marcus wrote:
>> On 2012-01-11 1:00 PM, huret deffgok wrote:
>>> This post is slightly OT, I hope no one will take offense. I was
>>> following the wiki on using dovecot LDA with postfix and
>>> implemented, for our future mail server, the address extensions
>>> mechanism: an email sent to
>>> "validUser+foldername@**mydomain.com<validUser%2Bfoldername at mydomain.com>"
>>> will have dovecot-lda automagically create and subscribe the
>>> "foldername" folder. With some basic scripting I was able to
>>> create hundreds of folders in a few seconds. So my question is
>>> how do you implement this great feature in a secure way so that
>>> funny random people out there cant flood your mailbox with
>>> gigatons of folder.
>> Don't have it autocreate the folder...
>>
>> Seriously, there is no way to provide that functionality and have the
>> system determine when it is *you* doing it or someone else...
>>
>> But I think it is a non problem... how often do you receive plus-addressed
>> spam??
> None from now. But I was thinking about something like malice rather than
> spamming. For me it's an open door to DOS the service.
> What about a functionality that would throttle the rate of creation of
> folders from one IP address, with a ban in case of abuse ? Or maybe should
> I look at the file system level.
Again - and no offense - but I think you are tilting at windmills...
If you get hit by this, you will not only have thousands or millions of
folders, you'll have one email for each folder. So, the question is, how
do you prevent being flooded with spam... and the answer is, decent
anti-spam measures.
I prefer ASSP, but I just wish you could use it as an after queue
content filter (for its most excellent content filtering and more
importantly quarantine management/block reporting
features/functionality). That said, postfix, with sane anti-spam
measures, along with the most excellent new postscreen (available in
2.8+ I believe) is good enough to stop most anything like this that you
may be worried about.
Like I said, set up postfix (or your smtp server) right, and this is a
non-issue.
--
Best regards,
Charles
More information about the dovecot
mailing list