RFE: dnsbl-support for dovecot

[Jochen Bern]

On -10.01.-28163 20:59, Reindl Harald wrote:
> i admit that i am not a C/C++-programmer, but i think
> doing the DNS request and in case it has a result block
> any login attemt should be not too complex

Can't say that I actually ever *did* it, but according to the docs, the
following should work:

1. Use http://wiki2.dovecot.org/Authentication/MultipleDatabases to have
login requests go through a
http://wiki2.dovecot.org/AuthDatabase/CheckPassword first. Insert %r
into the args to pass the rip to the external executable.

2. Make that executable return failure if there is a matching DNSBL
entry. (Note that in the case of a *dictionary* attack, offenders should
appear in your resolver's local cache shortly, so you can set very low
timeouts.) Configure the database as "result_failure = return-fail"
(according to the docs, that should make dovecot generate a log entry)
and "result_success = continue" (which will pass processing to the
*actual* userdb/passdb).

3. *Now* you can take advantage of having the lookup being done by an
external executable, instead of (hard)code(d) within dovecot: Use the
iptables "recent" module to (temporarily) block packets from SRCs on a
local dynamic blacklist, and let the executable feed any matches it
encounters to that list through the /proc/net interface as well.

>        echo +addr >/proc/net/xt_recent/DEFAULT
>               to add addr to the DEFAULT list

Regards,
								J. Bern
-- 
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel