Strategies for protecting IMAP (e.g. MFA)

Benny Pedersen me at junc.eu
Mon Nov 15 03:18:23 UTC 2021


On 2021-11-14 20:26, Matthew Richardson wrote:
> On Sun, 14 Nov 2021 08:12:53 -0800, Michael Peddemors wrote:-
> 
>> And there are RBL's now for know IP(s) used by IMAP hackers, including
>> SpamRats RATS-AUTH that can assist in reducing those attacks.
> 
> Looking at https://www.spamrats.com/rats-auth.php the "Example Usage in
> Dovecot" says "PLEASE UPDATE".
> 
> How would one use a DNSBL like this in Dovecot to reject IMAP 
> connections
> from listed IPs?

  submission inet n       -       y       -       -       smtpd
       -o smtpd_tls_security_level=encrypt
       -o smtpd_sasl_auth_enable=yes
       -o smtpd_delay_reject=no
       -o { smtpd_client_restrictions = reject_rbl_client 
auth.spamrats.com=127.0.0.39, permit }
       -o { smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject }


openRelay, dont do it

resolved version

submission inet n       -       y       -       -       smtpd
       -o smtpd_tls_security_level=encrypt
       -o smtpd_sasl_auth_enable=yes
       -o smtpd_delay_reject=no
       -o { smtpd_relay_restrictions = reject_rbl_client 
auth.spamrats.com=127.0.0.39, permit_mynetworks, 
permit_sasl_authenticated, reject }

order do matter

for dovecot use allow_nets or weekforce policy server, 3dr party, if 
dovecot is the submission it would imho be a winner

i still consider external service as a insecure help


More information about the dovecot mailing list