Il 30/12/2021 19:46, Andrew C Aitchison ha scritto:
On Thu, 30 Dec 2021, Nicolas JEAN via mailop wrote:From my understanding and tests, the first IMAP login attempt forwarded to dovecot is the actual login to roundcube.Is the first auth request to dovecot the first login attempt to roundcube or the first *successful* login attempt to roundcube ?
It's the first login attempt to roundcube, which can't decide by itself whether it's successful or not. The credentials are forwarded to dovecot, which will tell yes or no (maybe just no because the client IP is blocklisted). On my setup dovecot logs both successful and failed login attempts (I'm guessing this may depend on your config).
Or does it depend on whether roundcube is using dovecot authentication
Yes, it definitely depends. Here I was only covering the case where roundcube always makes IMAP requests to dovecot. This is where said plugin is helpful in adding the client IP to those requests.
[...] scenarios of attackers [...] from many IPs (botnet)If they are using a botnet the IP addresses are much less helpful for spotting the attack.
It's much more difficult to spot, I agree.But my server is seeing about a dozen IPs making an attempt every half hour, all day long, for several days (then they probably go on trying other servers). After some time, some of the IPs come back to me and resume their shenanigans.
This is enough of a strange behaviour for me to block them automatically. :)
Nico
OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
