[Dovecot] Proxying Authentication on both sides
Timo Sirainen
tss at iki.fi
Fri Mar 30 18:03:00 EEST 2012
On 30.3.2012, at 17.51, Andy Dills wrote:
> On Fri, 30 Mar 2012, Timo Sirainen wrote:
>
>> On 30.3.2012, at 16.25, Andy Dills wrote:
>>
>>> However, when we have the front-end server do a static director proxy, the
>>> problem is that authentication failures are logged on the back-end server
>>> with a source IP of the proxy, and no authentication failure with the
>>> client IP address is logged on the proxy. So, fail2ban (which is a MUST
>>> these days, at least for us) will not be able to properly filter out the
>>> brute force attackers.
>>
>> This is a simple fix (and something you should do anyway): Add the
>> proxy's IP/netmask to login_trusted_networks setting in the remote
>> server. For this to work with POP3 you need v2.1.2+.
>
> Well, the problem isn't that my proxies would be banned; the problem is I
> have no way of seeing the remote IP of the failed authentication so I can
> ban the people who should be banned.
This is what the setting changes. The remote IP will be seen by the backends.
> It seems obvious in retrospect, but for whatever reason the way the docs
> were written made me feel like having the full authentication happen on
> both the proxy and the backend wasn't possible.
Oh. This is a pretty common configuration. I guess the docs could be clarified.
More information about the dovecot
mailing list