[Dovecot] Applying a DNS RBL to deny authentication?

LuKreme kremels at kreme.com
Wed Feb 5 03:47:02 UTC 2014


On 04 Feb 2014, at 10:40 , Marc Perkel <marc at perkel.com> wrote:
> It seems to me that a nice dovecot feature would be the ability to do a black list check against IP addresses connecting and deny access if listed.
> 
> Thoughts?

Use the right tool. Fail2ban (or denyssh) do this sort of limiting quite well. One of them even has a feature that allows you to sync bad IPs with other people (denyssh, I think).

Also, postfix will check an RBL, so if you simply put in your check in master.cf for your submission port, there’s no reason for dovecot to try to redo something others already do.

Something like this in postfix

submission   inet  n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o reject_rbl_client = myrbl.local
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_path=private/auth
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_data_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_helo_restrictions=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o syslog_name=submit-tls


YMMV

-- 
I have seen the truth and it makes no sense.



More information about the dovecot mailing list