[Dovecot] Proxying Authentication on both sides

Timo Sirainen tss at iki.fi
Fri Mar 30 17:39:34 EEST 2012


On 30.3.2012, at 16.25, Andy Dills wrote:

> However, when we have the front-end server do a static director proxy, the 
> problem is that authentication failures are logged on the back-end server 
> with a source IP of the proxy, and no authentication failure with the 
> client IP address is logged on the proxy. So, fail2ban (which is a MUST 
> these days, at least for us) will not be able to properly filter out the 
> brute force attackers.

This is a simple fix (and something you should do anyway): Add the proxy's IP/netmask to login_trusted_networks setting in the remote server. For this to work with POP3 you need v2.1.2+.

> My solution was an alternative: I authenticate with our /bin/checkpassword 
> on the proxy, which authenticates the user and only at that point returns 
> the proxy=y nopassword=y switch to proxy the connection and forward the 
> authentication.

Hm. Doesn't it do that even without nopassword=y?




More information about the dovecot mailing list