Hi All,
This is my first posting here, and maybe I should have found this WAY back
in January, '23, if not LONG before. I want to be but I find it difficult
here to be brief. ... Surely background will surely help:
A 27 or so year old Fedora / Postfix / Dovecot site I built had a major
disaster in January and I've not yet been able to fully recover because
Dovecot has let the damned spammers in again and again and again and
again! OH, sure, I got it down to a trickle, but these few Russian sites
always managed to get their spam through and I just had to shut Dovecot
down entirely. I never found out how they got in, etc. And I've STRONGLY
suspected Dovecot got cracked - at least the modern version in the
youngest version for the youngest Fedora we had back in January - uh,
Fedora Server 37 - I've forgotten the matching Dovecot version.
In the disaster, we lost /var but not /etc, so I figured recovery would be
easy and for nearly everything, it was. But NOT Dovecot (and insofar as it
matters, Postfix), and in these 5+ months I've tried so many things, I'm
sure I've forgotten most of them and I don't know that a retroactive look
is worth doing.
...I kept some notes that might be useful if anyone wants to see the
evidence of the cracking, but in short, I kept a constant watch on the
logs and when ANY relay happened that shouldn't, I'd instantly know it and
shut things off entirely. However, that became untenable as I couldn't
find the problem and had to just shut it off, pissing off users, etc, but
I've had to do things like spend a month and a half traveling, and so
forth and, well... Life goes on, as the saying goes.
---
NOW I want to try again.
It's my perception that it's a waste of time to even LOOK at the old
Dovecot configuration stuff. I feel I need to REMOVE it ALL, and I could
use some help being SURE to get it all gone. And then I think I need to do
a FULL new installation. Overkill? IDK.
I could use some advice about SAFE ways to make changes and test to ensure
we do NOT become an open mail relay EVER AGAIN.
ALSO WORTH SAYING is that if Dovecot were all that damned safe and secure
I wouldn't so easily be able to propose a new feature that would make a
HUGE difference to sites like mine: Give me a white-list of the ONLY
accounts that can relay; NOTHING ELSE can relay. ... THAT would do it! But
no! Neither in Postfix nor dovecot is there such a thing!
Combine that with a greylist type function where the usual IP addresses
for particular users were let through, and new ones delayed, THAT would be
awesome, too! And this isn't even all that hard to do - I could do it if I
didn't already have a thousand obligations in life!
And if someone tells me I'm wrong and points me at how to do these things,
I'll fall out of my damned chair! And after picking myself up, I'll find a
way to send that person some sort of gift. THIS WOULD HAVE SOLVED ALL MY
PROBLEMS. And I'm sure MANY others could use this, too!
---
THIS configuration:
I'd like to find a way to have both virtual and our existing "unix
accounts" users.
IF we had an IMAP supported password CHANGING scheme, we'd gladly run
encrypted passwords, but there isn't, and we haven't invented (finished
inventing!) our own web-way to change 'em and so we're stuck with plain
text until one of these things changes.
BTW, isn't this a HUGE and OBVIOUS hole that should have been fixed decades
ago?! If a major provider like the Dovecot.org team added a way to update
passwords to the IMAP protocol, all the rest of the folks would follow
along for sure! OR, "is that a thing" and I'm just ignorant of it?
So, again, plain-text, in cram, of course. What else? Coach me on "the
right way" if you want, but if users can't change it themselves, they'd
rather I can retrieve it for them if needed... I'm sure the corporate
world doesn't do it this way, but their code isn't open source, or am I
wrong?...
---
In closing I don't actually anticipate ANY help.
My father, an even earlier computer user than me, once observed, "you can
ask for information until you're blue in the face, and nobody will say a
thing, but post the WRONG thing and a hundred people will post to point
out you're wrong!"
GIVEN how EASY it is to have your email system become an instant open
relay at the hands of the spammers out there, how the hell Dovecot can
advertise the way it is WITHOUT a serious guide about this is just
frustrating and laughable. But I'd love to be shown where they DO help
with this!
Thanks for any and all help,
Richard
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
