under some kind of attack

Joseph Tam jtam.home at gmail.com
Fri Jul 21 23:17:12 EEST 2017


mj <lists at merit.unu.edu> wrote:

> - for external users, to ONLY be allowed to use an application specific
> password. (or username and password, fine as well)
>
> Step one: making ldap password authentication valid only from our
> internal network. I though: using allow_nets=192.168.1.0/24 for that passdb
>
> But I can't get that to work. :-( Unsure where exactly to define the
> allow_nets, tried many variations on the theme already.
>
> Perhaps someone can help with the step one, and also tell me if the
> approach outlined above is smart, valid and do-able in dovecot.

As per my post: checkpassword.  You can then use one password on Mondays,
Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday
fetched from a rot-13 database, and only from prime numbered IP addresses
on weekends, if that's what you want.

Gary Sellani <lists at lazygranch.com> writes:

> Not applicable to most installations, but I use geographical filtering
> on all ports other than 25.  Fine if you are the only user of the email
> system.

If you're the only user, moving the IMAP/POP service to a nonstandard port
will do most of that with much less bother, and you won't lock yourself
out, requiring a ssh/edit firewall/reconnect.  Been there, done that.

> I get one hacker a week trying to guess passwords, and always from Digital Ocean VPS.

abuse at digitalocean.com is fairly responsive.  They usually nuke
them pretty quickly.

> I would like to see statistics on the success of such brute force
> attacks.  They can't be very successful these days.

Even if the success rate is 0.00001%, you can do the arithmetic to see
that's still a huge number of accounts.  But you're right, if you have
anything resembling a sensible password policy, they're just a log
bloating nuisance.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list