RFE: dnsbl-support for dovecot

[Giles Coochey]

On 17/06/2014 18:56, Reindl Harald wrote:
>
> Am 17.06.2014 19:43, schrieb Giles Coochey:
>> On 17/06/2014 18:16, Reindl Harald wrote:
>>> after having my own dnsbl feeded by a honeypot and even
>>> mod_security supports it for webservers i think dovecot
>>> sould support the same to prevent dictionary attacks from
>>> known bad hosts, in our case that blacklist is 100%
>>> trustable and blocks before SMTP-Auth while normal RBL's
>>> are after SASL
>>>
>>> i admit that i am not a C/C++-programmer, but i think
>>> doing the DNS request and in case it has a result block
>>> any login attemt should be not too complex
>>>
>>> setup a own honeypot and feed rbldnsd with the sources
>>> is quite easy and in case of a own, trustable RBL where
>>> no foreigners report somebody by mistake it's relieable
>>> and scales well over many machines and services as long
>>> services supporting it
>>>
>>> mod_security:
>>> http://blog.inliniac.net/2007/02/23/blocking-comment-spam-using-modsecurity-and-realtime-blacklists/
>>>
>> If you have the bllist as a file then you may as well drop with iptables (in Linux) or ipfw (BSD).
>>
>> Use an IP tool for an IP block, not the application.
>>
>> Spamhaus project has a kind of script for this type of thing:
>>
>> http://www.spamhaus.org/faq/section/DROP%20FAQ
>>
>> I'm quite happy to use fail2ban, yes - dovecot has to handle a few failed logins for each blocked IP, but it works
>> for me and pretty much mitigates the attack
> that's not the point, to achieve the same as with a RBL you
> need to manipulate iptables on every machine - the RBL is
> centrally for HTTP/SMTP and so it makes sense to use
> it also for IMAP/POP3
Or just do it on the firewall...
> additionally you have no log - thats bad with a RBL you have a
> dedicated log containign much more data than source / target IP
> and ports
Iptables has a log option.
> also i don't want to have fail2ban on every machine, the point
> of a RBL with a honeypot is that bad machines are blocked
> for 7 days just beause they touch any unused IP and likely
> before they even hit the production servers
That's your personal choice.
> iptables-rules are managed here also centralized over a lot
> of machines and i really don't want to marry the honeypot with
> the iptables
>
That's specific to your deployment.

I don't know how much use such a feature within dovecot would get as 
there are quite a few specific tools that could accomplish pretty much 
the same goals of what you're looking for -  it is just unfortunate that 
they don't fit in your own environment.

Perhaps others on the list would have opinions on it.

-- 
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles at coochey.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6454 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140617/fcd0c146/attachment.p7s>