[Dovecot] stopping dictionary attacks (pop3)

Noel noeldude at gmail.com
Tue Sep 3 07:34:33 EEST 2013

On 9/2/2013 8:59 PM, other at ahhyes.net wrote:
> Hi Guys,
> I was really hoping a couple of years later this would be
> addressed... I'm running Dovecot 2.2.5 on FreeBSD.
> Is there anyway to limit the number of auth attempts allowed in a
> single session? The reason for this is because I have "fail2ban"
> setup to firewall out any IP addresses that repeatedly auth fails.
> The issue occurs when the connection is already in an
> "established" state and the attacker uses the existing session to
> hammer away, fail2ban becomes ineffective as dovecot appears to
> allow the person to attempt authentication ad infinitum.
> It would be nice if there was config option that would for example
> cause the software to close the connection after X failed
> attempts. I use "pf" as the firewall on FreeBSD.

The secret is the "pfctl -k IP" command to drop state for the
offending IP.  Just add it to your fail2ban action command.
action = /sbin/pfctl {whatever you have now}  && /sbin/pfctl -k <ip>

A nice writeup of fail2ban and pf can be found here:

  -- Noel Jones

More information about the dovecot mailing list