IP drop list

[Joseph Tam]

Nick Edwards writes:

> I thought Timo once said dovecot had tarpitting, its useless if it is
> there, and  if it is, it needs user configurable timings, or maybe its
> one of those things thats been in the gunna happen list
> for a long time, like other stuff

If I remember correctly, I think this was the "auth_failure_delay"
feature.  However, these delays are only inserted into the same
session -- no IP tracking is done so a BFD attacking host can just
keep opening up new connections.

Dave McGuire writes:

>>>> Please add this support to iptables instead of Dovecot.  It's a
>>>> waste of effort to code it into every application that listens on
>>>> the network.
>>> 
>>> <head explodes>
>>> 
>>> Would you care to integrate it into IOS on my Cisco as well?
>>> 
>>> There are things connected to the Internet that aren't PCs running
>>> Linux, you know.  It may be hard to accept, but that's the way it is. 
>>> 
>> I assume your dovecot runs on some kind of *nix
> 
> Of course.  I run it under Solaris.

Oddly enough, if you run some versions of Solaris, it uses IPFilter
as the native firewall, and it *does* have userland hooks so that you
can make pass/block decisions based on userland executable.  Not well
documented though (see auth rules).

You would need a firewall rule like

 	auth in proto tcp from any to any port = 143 flags S/SA keep state

then write a program that does ioctl(ipauth) calls to inspect and
accept/reject packets; not for the faint of heart.  However, you can use
whatever weird and wonderful methods you want to determine IMAP/POP/SMTP
network access policy, including DNSRBL or parsing a text file.

This thread seems to be spinning into non-dovecot subjects, and I'm not
helping, so I'll stop.

Joseph Tam <jtam.home at gmail.com>