On 09/06/2024 18:39, Aki Tuomi via dovecot wrote:
On 09/06/2024 16:50 EEST John Fawcett via dovecot <dovecot@dovecot.org> wrote:

The files themselves didn't make it through the list server. I'll try
with .txt


On 09/06/2024 15:42, John Fawcett via dovecot wrote:
Hi

Just in case this is useful more generally, I'm posting it to the list.

While Dovecot has an access control via allow_nets, it is a user
database field that applies only at the authentication stage to deny
access for the specific user when there is a connection attempt from
an unauthorized ip for that user.

https://doc.dovecot.org/configuration_manual/authentication/allow_nets/

I don't believe there is anything that checks access at connect time
to deny unwanted traffic prior to authentication, for example from
compromised machines, botnets etc. Though failed connection attempts
do not appear to be a significant issue, maybe better to add some
safety net for the future.

The attached patch is proof of concept code that introduces the
parameters rbl_check and rbl_check_timeout (msecs) to the protocol
section. Tested for imap, pop3 and sieve. The following is an example
for sieve.

protocol sieve {
     rbl_check = zen.spamhaus.net=127.0.0.4

     rbl_check_timeout = 5000

}

If the lookup results in a hit the client is disconnected with a BYE
"Disconnected for policy." message and the logs report:

     Jun 09 12:00:56 server.example.com dovecot[977650]:
managesieve-login: Disconnected: Policy (disconnected before auth was
ready, waited 1 secs): user=<>, service=sieve, rip=n.n.n.n, lip=n.n.n.n

The patch also makes the number of pre-login errors and post-login
errors configurable (max_login_command_errors and max_command_errors
respectively) for pop3, imap and sieve protocols .

protocol sieve {

   max_command_errors = 1
   max_login_command_errors = 1

}

A potential extension to the logic would be "allow_nets" and
"disallow_nets" parameters or maybe something more sophisticated to
allow ips/networks that would otherwise be blocked or deny additional
ips/networks.

John

How is this different than using weakforced which already supports rbl? Or 
doing this in auth lua?

Hi Aki

I'm not that familiar with weakforced or auth lua, but I guess those intervene at the authentication stage, rather than the connection stage.

John


_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to