On 03/03/2015 11:03 PM, Earl Killian wrote: > On 2015/3/2 10:03, Reindl Harald wrote: >> >> that is all nice >> >> but the main benefit of RBL's is always ignored: >> >> * centralized >> * no log parsing at all >> * honeypot data are "delivered" to any host >> * it's cheap >> * it's easy to maintain >> * it don't need any root privileges anywhere >> >> we have a small honeypot network with a couple of ipranges detecting >> mass port-scans and so on and this data are available *everywhere* >> >> so if some IP hits there it takes 60 seconds and any service >> supportings DNS blacklists can block them *even before* the bot hits >> the real mailserver at all >> > I would like to reiterate Reindl Harald's point above, since subsequent > discussion has gotten away from it. If Dovecot had DNS RBL support > similar to Postfix, I think quite a few people would use it, and thereby > defeat the scanners far more effectively than any other method. It is > good that other people are suggesting things that will work today, but > in terms of what new feature would be the best solution, I can't think > of one better than a DNS RBL.
Please add this support to iptables instead of Dovecot. It's a waste of effort to code it into every application that listens on the network. Combined with "--ctstate NEW" and a chain for IMAP packets, it would be no less efficient.
