On 9.12.2007, at 0.23, Peter Hessler wrote:
On 2007 Dec 09 (Sun) at 00:20:11 +0200 (+0200), Timo Sirainen wrote:On 9.12.2007, at 0.16, Peter Hessler wrote:There are a couple of jerks that are tying to dictionary attack myemail server, and one of the vectors is pop3/imap logins. Something I would like to do in dovecot, but can't seem to find, is the ability to disconnect after a certain number of errors. The vast majority of my users (i.e. me) don't hand-type POP3 or IMAP transactions, but when wedo, we know how to spell things properly. Does dovecot have this? A simiple look shows no.It's hardcoded to src/imap-login/client.c: #define CLIENT_MAX_BAD_COMMANDS 10It looks like that doesn't apply to failed logins.
It doesn't, and I don't think it should. A better idea would probably be to double the delay for each failed login.
PGP.sig
Description: This is a digitally signed message part
