IP drop list

Reindl Harald h.reindl at thelounge.net
Wed Mar 4 19:31:49 UTC 2015 

Am 04.03.2015 um 20:12 schrieb Michael Orlitzky:
> On 03/03/2015 11:03 PM, Earl Killian wrote:
>> On 2015/3/2 10:03, Reindl Harald wrote:
>>>
>>> that is all nice
>>>
>>> but the main benefit of RBL's is always ignored:
>>>
>>> * centralized
>>> * no log parsing at all
>>> * honeypot data are "delivered" to any host
>>> * it's cheap
>>> * it's easy to maintain
>>> * it don't need any root privileges anywhere
>>>
>>> we have a small honeypot network with a couple of ipranges detecting
>>> mass port-scans and so on and this data are available *everywhere*
>>>
>>> so if some IP hits there it takes 60 seconds and any service
>>> supportings DNS blacklists can block them *even before* the bot hits
>>> the real mailserver at all
>>>
>> I would like to reiterate Reindl Harald's point above, since subsequent
>> discussion has gotten away from it. If Dovecot had DNS RBL support
>> similar to Postfix, I think quite a few people would use it, and thereby
>> defeat the scanners far more effectively than any other method. It is
>> good that other people are suggesting things that will work today, but
>> in terms of what new feature would be the best solution, I can't think
>> of one better than a DNS RBL.
>
> Please add this support to iptables instead of Dovecot. It's a waste of
> effort to code it into every application that listens on the network.
>
> Combined with "--ctstate NEW" and a chain for IMAP packets, it would be
> no less efficient

you don't want a dns client in a kernel module with full permissions and 
you will never convince any sane kernel developer doing that nor does it 
much help for the users on a different operating system

dovecot is not linux only

____________________________________

 > In the case of HTTP, IMAP, etc. things are not so easy.
 > Just think about NAT and CGN

that don't matter

if i blacklist a client because he starts a dictionary attack in SMTP i 
want it also bock on IMAP without use a dozen of different tools because 
teh via IMAP now catched account password will be used for send spam 
later when the SMTP RBL entry expires

and frankly that 100% trustable RBL lives *before* 
"permit_sasl_authenticated" because it would be pointless anywhere else

ordinary blacklists are score based on the MX, that is a complete 
differet machine with no business for POP3/IMAP or even outgoing mail

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150304/9cad6e72/attachment.sig>

More information about the dovecot mailing list