On Mon, 5 Jan 2026, John Fawcett wrote:
On 04/01/2026 23:29, Bryan Simmons via dovecot wrote:
Log contains several messages from dovecot that are not clear to me exactly
what is occurring, single example below. These appear to be login attempts
for the same group of non existent user ids from various rip addresses.
dovecot: pop3-login: Disconnected: Connection closed (auth failed, 1
attempts in 0 secs): user=<[email protected]>, rip=0.0.0.0
To be extremely pragmatic as long as it is for non existent users, they are
never going to succeed in logging in whatever password is used. The issue
would be if they are also for existent users, since leaving these compromised
servers/devices hammering away, they may eventually guess a right password,
depending on how strong your password policies are.
The setting
auth_failure_delay = 5 secs
(or longer) may also be useful to slow intense BFDs down. It puts strong
passwords further out of reach than they already are. However, not as
useful when you're under distributed attack like when 4k+ different IPs
slammed us recently for weeks on end.
Personally I find it helpful to use the Spamhaus XBL and never accept
connection attempts from compromised ips.
I'll test this out, but I suspect I'll get a few false positives from
public WiFi users, etc. These DNSRBLs I currently use catch quite a lot
of BFD attackers:
https://www.blocklist.de/en/rbldns.html
https://spamrats.com/rats-auth.php
There's also many jumbo public networks, mostly Asian, that unless you
have users within them, it's better just to blackhole them.
Joseph Tam <[email protected]>
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
