[Dovecot] dnsbl feature for dovecot

[Branko Majic]

On Wed, 03 Jul 2013 09:37:14 +0200
Robert Schetterer <rs at sys4.de> wrote:

> Am 03.07.2013 05:24, schrieb Professa Dementia:
> > On 7/2/2013 7:11 PM, Stan Hoeppner wrote:
> >> On 7/2/2013 8:32 PM, Professa Dementia wrote:
> >>> On 7/2/2013 6:21 PM, John Fawcett wrote:
> >>>> dnsbl's are a popular method to prevent listed ips from making
> >>>> connections to mta software.
> >>>>
> >>>> cf. postscreen_dnsbl_sites in postfix
> >>>>
> >>>> Would it be possible to introduce such a feature in dovecot, so that
> >>>> connections can be denied
> >>>> based on a dnsbl lookup (where the precise dnsbls used are configurable)?
> >>>>
> >>>> John
> >>>>
> >>>
> >>> Let's back up a bit.  This does not seem like a feature that Dovecot needs.
> >>>
> >>> Rather, what problem are you trying to solve?  Maybe there is an
> >>> existing or better way to accomplish it.
> >>
> >> Based on John's recent thread on postfix-users on the same general
> >> subject, I'd guess he's trying to stop rouge/malicious connections.
> >>
> > 
> > That's my point.  A self run IP blackhole list is almost useless.
> > Distributed RBLs are much more effective.  However, existing ones are
> > based on spam sources, not malicious connections to POP or IMAP servers.
> > 
> > Knowing the problem would be beneficial in determining a good solution.
> >  For certain types of connection abuse, Fail2Ban works remarkably well.
> >  But, without knowing his exact problem, it may not be the correct solution.
> > 
> > Dem
> > 
> 
> i think an auto dynamic user/ip based con limit might be best , but i
> guess it will be difficult to implement, for this you need some log
> analyser counting wrong auth user/ip pairs, invoking some action on the
> fly , like throttle user from ip, and auto high user/ip login throttle
> by adjustable time periods , also there must be some whitelist possible
> 

One possibility for the connection limiting could be using the iptables
hashlimit module. Getting the correct values for it might be a bit
tricky, but maybe initially you could do logging on a dedicated
iptables chain instead of drops to get some sample usage statistics.
Then again, you should also be careful with hashlimit if you have large
number of users coming from the same IP address (ISPs using NAT etc).

Best regards

-- 
Branko Majic
Jabber: branko at majic.rs
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: branko at majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130703/d9abe1a4/attachment.bin>