[Dovecot] Applying a DNS RBL to deny authentication?

Reindl Harald h.reindl at thelounge.net
Tue Feb 4 17:57:34 UTC 2014



Am 04.02.2014 18:40, schrieb Marc Perkel:
> Hope to get some attention about this idea to reduce hacking passwords.
> 
> Here is a list of about 700,000 IP addresses that are hacking passwords through SMTP AUTH
> 
> http://ipadmin.junkemailfilter.com/auth-hack.txt
> 
> This is a list of IP addresses that attempted to authenticate against my fake AUTH advertizing on servers with no
> authentication. We do front end spam filtering for thousands of domains and I decided to advertize authentication
> where there is none and I accept and blackhole all authenticated email to those servers. I have harvested the IP
> addresses in this list that is available through an RBL.
> 
> It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses
> connecting and deny access if listed.
> 
> Thoughts?

a limit of failed auth-tries without a succesful one would be better
and strip down logging after it is blocked instead having thousands
of lines from fools trying a dictionary

* ip <xx.xx.xx.xx> blocked after XX auth tries within XX minutes
* blocking of ip <xx.xx.xx.xx> released (XX tries blockd)

something like that but with focus in failed logins

anvil_rate_time_unit                                = 1800s
smtpd_client_connection_rate_limit                  = 50
smtpd_client_recipient_rate_limit                   = 400
smtpd_recipient_limit                               = 100


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140204/043f3645/attachment.bin>


More information about the dovecot mailing list