On 15/11/2021 11:52, Arjen de Korte wrote:
Citeren Benny Pedersen <m...@junc.eu>:
On 2021-11-14 20:26, Matthew Richardson wrote:
On Sun, 14 Nov 2021 08:12:53 -0800, Michael Peddemors wrote:-
And there are RBL's now for know IP(s) used by IMAP hackers, including
SpamRats RATS-AUTH that can assist in reducing those attacks.
Looking at https://www.spamrats.com/rats-auth.php the "Example Usage in
Dovecot" says "PLEASE UPDATE".
How would one use a DNSBL like this in Dovecot to reject IMAP
connections
from listed IPs?
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_client_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.39, permit }
-o { smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject }
This is not an answer to the question, this is Postfix syntax.
openRelay, dont do it
In what way would this create an open relay exactly? The 'permit' at the
end of the 'smtpd_client_restrictions' only means that the client is
accepted, not that other smtpd restrictions are lifted.
resolved version
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_delay_reject=no
-o { smtpd_relay_restrictions = reject_rbl_client
auth.spamrats.com=127.0.0.39, permit_mynetworks,
permit_sasl_authenticated, reject }
Although syntactically correct, it is confusing at best to put client
restrictions in another place than smtpd_client_restrictions. Especially
with 'smtpd_delay_reject=no' in effect you'd only reject after receiving
'RCPT TO', which is evaluated after 'smtpd_client_restrictions' and
'smtpd_helo_restrictions' during the SMTP transfer.
order do matter
Indeed.
Perhaps I was not clear in my last message. Have a look to this
documentation:
https://homebox.readthedocs.io/en/latest/email-access-monitoring/
I am available if you have any question to implement something similar
yourself. Extending the system to add a second factor authentication is
probably easy enough.
Kind regards,
André
--
𝓐𝓡 - André Rodier
