Mail account brute force / harassment

Aki Tuomi aki.tuomi at open-xchange.com
Fri Apr 12 21:50:32 EEST 2019


> On 12 April 2019 21:45 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote:
> 
> 
> > You are running some kind of proxy in front of it.
> 
> No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail.
> 
> > If you want it to show real client IP, you need to enable forwarding of said data. With dovecot it's done by setting
> >  
> >  login_trusted_networks = your-upstream-host-or-net
> >  
> >  in backend config file.
> 
> OK I changed it and restarted wforce and dovecot. Still seeing this:
> Apr 12 14:38:55 auth: Debug: policy(ouruser,127.0.0.1,<6GFTnVmGcMN/AAAB>): Policy server request JSON: {"device_id":"","login":" ouruser","protocol":"imap","pwhash":"43","remote":"127.0.0.1","success":false,"policy_reject":false,"tls":false}
> 
> > For webmails, this requires both login_trusted_networks and also support from the webmail software to forward client IP.
> 
> I did get a reply from the Squirrelmail list:
> "Well, I've had code sitting around for a while that implements RFC2971 (ID command), so I just committed it. You can use it for this purpose by putting something like this into your config/config_local.php
> $imap_id_command_args = array('remote-host' => '###REMOTE ADDRESS###');"
> 
> Which I also added previously. But that doesn't address emacs/RMail users.
> 
> Could there be a setting in sendmail.mc/cf (http://sendmail.mc/cf) file that I'm missing?


Can you verify following?

doveconf auth_policy_request_attributes

auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s

On some versions remote is mistakenly %{real_rip} which expands into where the connection came from instead of client IP.

If it's wrong just feel free to copypaste the setting above into dovecot config.

Aki

Aki


More information about the dovecot mailing list