under another kind of attack

Joseph Tam jtam.home at gmail.com
Tue Jul 25 22:32:48 EEST 2017 

"mourik jan c heupink" <lists at merit.unu.edu> writes:

> On 07/24/2017 04:51 AM, Joseph Tam wrote:> You are essentially writing your own backend by taking over
>> authentication.  You'll be accepting user/password inputs into your
>> checkpassword executable, then use the LDAP API (or some other system...snip
>> and source address, which will be adversely affect performance on a
>> busy server as authentication data cannot be cached.
>
> While this sounds awesome, it can do much more than what I was/am after, and appears lot more complicated to setup than what I had figured myself.
>
> Shouldn't I be able to do something like this:
>
> passdb {
>  driver = passwd-file
>  # application specific passwd-file should work from anywhere
>  # (so: no allow_nets)
>  args = /etc/dovecot/dovecot-application-specific
> }
> passdb {
>  # only allowed to use this from within local 192.168.1.0/24
>  args = /etc/dovecot/dovecot-ldap.conf.ext allow_nets=192.168.1.0/24
>  driver = ldap
> }

Yes, that would take care of *one* of the items on your wishlist
(network specific passwords).  You also wanted time specific passwords.
And intelligent brute force detection.  And blacklist lookups.

Rather than cobbling together fail2ban, utility scripts, multiple passdbs,
firewall rules and whatever other system you'll need to recruit, I'm
suggesting you amortize the effort and pack it into one place, then you
can extend this to incorporate whatever your heart desires.

The complexity of implementing this reflects the complexity of your
requirements.  If you only had generic authentication needs, then the
dovecot supplied facilities would be perfect.  But you don't.

> Where I would generate lines in dovecot-application-specific using a
> script or some webpage, and generate lines like:
>
> username1:randomONE:vmail:vmail::/var/vmail/username1:
> username1:randomTWO:vmail:vmail::/var/vmail/username1:
> username2:randomTHREE:vmail:vmail::/var/vmail/username2:
> username2:randomFOUR:vmail:vmail::/var/vmail/username2:
>
> And the result would be: username1 can login from anywhere, using
> passwords "randomONE" & "randomTWO", plus the password in ldap when
> coming from the internal network.

You'll probably need 3 passdb, LDAP and 2 fallback passwd-file dbs.

Joseph Tam <jtam.home at gmail.com>

More information about the dovecot mailing list