[Dovecot] dnsbl feature for dovecot

[John Fawcett]

On 03/07/13 05:24, Professa Dementia wrote:
> On 7/2/2013 7:11 PM, Stan Hoeppner wrote:
>> On 7/2/2013 8:32 PM, Professa Dementia wrote:
>>> On 7/2/2013 6:21 PM, John Fawcett wrote:
>>>> dnsbl's are a popular method to prevent listed ips from making
>>>> connections to mta software.
>>>>
>>>> cf. postscreen_dnsbl_sites in postfix
>>>>
>>>> Would it be possible to introduce such a feature in dovecot, so that
>>>> connections can be denied
>>>> based on a dnsbl lookup (where the precise dnsbls used are configurable)?
>>>>
>>>> John
>>>>
>>> Let's back up a bit.  This does not seem like a feature that Dovecot needs.
>>>
>>> Rather, what problem are you trying to solve?  Maybe there is an
>>> existing or better way to accomplish it.
>> Based on John's recent thread on postfix-users on the same general
>> subject, I'd guess he's trying to stop rouge/malicious connections.
>>
> That's my point.  A self run IP blackhole list is almost useless.
> Distributed RBLs are much more effective.  However, existing ones are
> based on spam sources, not malicious connections to POP or IMAP servers.
>
> Knowing the problem would be beneficial in determining a good solution.
>  For certain types of connection abuse, Fail2Ban works remarkably well.
>  But, without knowing his exact problem, it may not be the correct solution.
>
> Dem
The point is to stop spambot connections to pop and
imap (which are usually done to try and steal
credentials).

I already use fail2ban to stop brute force attacks but
that means that each one has to be allowed to connect
a specified number of times and trigger the filter.

I was imagining a distributed solution which is already
in use in many mtas applied also to imap and pop
so that connections could be stopped from the first
one.

I am assuming that if there is such a feature then data is
available (e.g. sorbs) or if not yet being collected that it
could be done.

John