[Dovecot] Proxying Authentication on both sides
Timo Sirainen
tss at iki.fi
Fri Mar 30 17:39:34 EEST 2012
On 30.3.2012, at 16.25, Andy Dills wrote:
> However, when we have the front-end server do a static director proxy, the
> problem is that authentication failures are logged on the back-end server
> with a source IP of the proxy, and no authentication failure with the
> client IP address is logged on the proxy. So, fail2ban (which is a MUST
> these days, at least for us) will not be able to properly filter out the
> brute force attackers.
This is a simple fix (and something you should do anyway): Add the proxy's IP/netmask to login_trusted_networks setting in the remote server. For this to work with POP3 you need v2.1.2+.
> My solution was an alternative: I authenticate with our /bin/checkpassword
> on the proxy, which authenticates the user and only at that point returns
> the proxy=y nopassword=y switch to proxy the connection and forward the
> authentication.
Hm. Doesn't it do that even without nopassword=y?
More information about the dovecot
mailing list