Re: [Dovecot] Mailing list's prefix
On 3/5/2010 1:17 AM, Noel Butler wrote: > of the myriad of lists im' on and have been on for many many years, > only nanog and bind lists dont use tags. postfix doesn't, and I know you're on there (you replied to the 'copy-to-sent' thread with some helpful hints)... ;) -- Best regards, Charles
Re: [Dovecot] Limit login attempts per connection?
On 05/03/2010 04:43, Tony Nelson wrote: On 10-03-04 20:22:15, Frank Cusack wrote: On 3/4/10 6:42 PM -0500 Tony Nelson wrote: > Looking at the source, I see that there are no options. It tarpits > a bit, but currently has no limit on the number of attempts. I'll > see what I can do. I think it's a brilliant idea. After one login attempt, all others on the same connection should fail. A fan! Anyway, there should at least be a choice. Not that I've coded a choice, just a dumb patch -- see attachment. It's a bit of a compromise, with a hard-coded limit of 4 attempts. Maybe I'll lower it to 2. I would be all in favour of a setting like this because it's easier to configure than fail2ban... ...but ... At least my public facing servers seem to be receiving trickle scans where there is definite evidence of a slow distributed bruteforcer which uses multiple IPs to try multiple usernames and I probably only see each IP a few times a day... This is quite hard to defend against without some kind of distributed system (and I believe there are such things?) Good luck Ed W
Re: [Dovecot] Mailing list's prefix
On 04/03/2010 20:59, Timo Sirainen wrote: Do you think I'd break a lot of people's filters if I removed the prefix? :) Anyone strongly for/against removing it? It seems kind of annoying to me whenever I happen to think about it. Doesn't bother me, but I have a feeling that at least some of the older M$ email clients cannot easily filter messages based on header fields, subject filters are the simplest options for them. Certainly I would say that it's currently still the status quo that mailing lists have subject prefixes, so you are slightly going against the flow. You could test the backlash by sending out a small number of warning messages without the subject prefix and see who complains... I would suggest it might be an over-bold move given that it changes the requirement to understand your filtering LDA from beginner to intermediate, but personally not fussed since my rules all filter on list headers... (Presumably all those who rate "black belt" on their relevant LDA have already got filtering rules to remove the prefix...) Good luck Ed W
Re: [Dovecot] Saving Sent Messages to Sent Folder
On 04/03/2010 15:47, Timo Sirainen wrote: On Thu, 2010-03-04 at 10:05 -0500, Charles Marcus wrote: On 2010-03-04 9:32 AM, Timo Sirainen wrote: LEMONADE group solved this with IMAP URLAUTH (RFC 4467) and SMTP BURL (RFC 4468) extensions. The idea is basically (copy&pasting from RFCs): C: RCPT TO: S: 250 2.1.5 r...@gryffindor.example.com OK. C: BURL imap://ha...@gryffindor.example.com/outbox ;uidvalidity=1078863300/;uid=25;urlauth=submit+harry :internal:91354a473744909de610943775f92038 LAST S: 250 2.5.0 Ok. So after receiving BURL command, SMTP server connects to IMAP server and fetches the message: But wouldn't this also require the MUA to support the concept of an 'Outbox'? MUA would have to support both of those URLAUTH and BURL extensions, so that it can register a temporary URL on the IMAP server, then connect to SMTP server and give that URL to BURL command (instead of sending the mail with DATA command). So from MUA's point of view it's basically the same as before: save to IMAP and after that send via SMTP. This seems like such a convolution... Given that the RFC already proposes some changes to the IMAP side then it would seem sensible to get the IMAP server to do the proxy connection to the MTA and deliver. Perhaps a simple case of adding a flag when saving into a folder would mark the message as being required to be sent onwards? I would guess the reason for the LEMONADE version is that they wanted it to be quite explicit if mail was not immediately able to be sent, rather than creating a bounce (REJECT vs BOUNCE). However, I should imagine a bit more thought about how to implement the IMAP side could allow an extension which handled submission and also gave immediate feedback in the case of obviously non-deliverable mail? The other pain in the bum about most current clients is that they: - send the email via smtp - post the message to the Sent folder - THEN they DOWNLOAD the message again from the Sent folder!! THIS is craziness! Ed W
Re: [Dovecot] Limit login attempts per connection?
On Thu, 2010-03-04 at 23:43 -0500, Tony Nelson wrote: > > I think it's a brilliant idea. After one login attempt, all others > > on the same connection should fail. > > A fan! Anyway, there should at least be a choice. Not that I've coded > a choice, just a dumb patch -- see attachment. It's a bit of a > compromise, with a hard-coded limit of 4 attempts. Maybe I'll lower it > to 2. I think I'll change v2.0 to simply disconnect 3 minutes after the client connected. With the tarpitting doubling the auth failure delay for up to 15 seconds, that allows maybe max. 15 auth attempts before being disconnected. I don't really see why that would be too much, there's not much brute forcing that can be done with 15 attempts.. (And this assumes that something externally blocks that IP by then. If you disconnect without blocking the IP, they'll just reconnect and continue so that won't help much. And banning IP for just 2-4 failed auth attempts seems a bit too early.) signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Saving Sent Messages to Sent Folder
On Fri, 2010-03-05 at 09:59 +, Ed W wrote: > > MUA would have to support both of those URLAUTH and BURL extensions, so > > that it can register a temporary URL on the IMAP server, then connect to > > SMTP server and give that URL to BURL command (instead of sending the > > mail with DATA command). > > > > So from MUA's point of view it's basically the same as before: save to > > IMAP and after that send via SMTP. > > > > > > This seems like such a convolution... > > Given that the RFC already proposes some changes to the IMAP side then > it would seem sensible to get the IMAP server to do the proxy connection > to the MTA and deliver. Perhaps a simple case of adding a flag when > saving into a folder would mark the message as being required to be sent > onwards? Well, I'm not very happy about the idea of IMAP server sending messages to SMTP server either.. :) signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Mailing list's prefix
On Fri, 2010-03-05 at 03:57 -0500, Charles Marcus wrote: > On 3/5/2010 1:17 AM, Noel Butler wrote: > > of the myriad of lists im' on and have been on for many many years, > > only nanog and bind lists dont use tags. > > postfix doesn't, and I know you're on there (you replied to the > 'copy-to-sent' thread with some helpful hints)... ;) > I have not been on the postfix list in some time, and i was only on it for a short period of time for my inquiry which went unanswered.
Re: [Dovecot] Mailing list's prefix
On 2010-03-05 5:28 AM, Noel Butler wrote: > On Fri, 2010-03-05 at 03:57 -0500, Charles Marcus wrote: >> On 3/5/2010 1:17 AM, Noel Butler wrote: >>> of the myriad of lists im' on and have been on for many many years, >>> only nanog and bind lists dont use tags. >> postfix doesn't, and I know you're on there (you replied to the >> 'copy-to-sent' thread with some helpful hints)... ;) > I have not been on the postfix list in some time, and i was only on it > for a short period of time for my inquiry which went unanswered. Oops, my bad, confused you with Noel Jones... apologies...
Re: [Dovecot] Saving Sent Messages to Sent Folder
On 2010-03-05 5:10 AM, Timo Sirainen wrote: > Well, I'm not very happy about the idea of IMAP server sending messages > to SMTP server either.. :) Not to belabor the point, but the dovecot LDA is already talking to the SMTP server in one direction... this is why I proposed something as simple as possible, a 'LSA proxy'... just enough to make sure the message is accepted for delivery, then save the copy to the Sent folder. I imagine a lot more things could be done to, especially if sieve support was available to it. Of course, I have no idea what 'as simple as possible' means in terms of code requirements, especially since - were you to do it, which you have already said you have no interest in - you would obviously want it to be rock-solid... ;) That said - could this be done in a plugin? I didn't think so, but maybe I'm wrong? -- Best regards, Charles
Re: [Dovecot] Limit login attempts per connection?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Mar 04, 2010 at 06:43:21PM -0500, Tony Nelson wrote: > On 10-03-04 00:51:40, to...@tuxteam.de wrote: [...fail2ban...] > I already have something that works with any program secure enough not > to allow unlimited login attempts. Using fail2ban might work if I > configure it enough to sever existing connections. Understood. Thanks - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFLkOfPBcgs9XrR2kYRAuztAJ9LJdWEP7LuUOuB6nDHTjVN1Ov7RACeNawb hXuUgpi15dUYNgfVDcMzFJc= =2cDu -END PGP SIGNATURE-
Re: [Dovecot] Saving Sent Messages to Sent Folder
On 05/03/2010 10:10, Timo Sirainen wrote: On Fri, 2010-03-05 at 09:59 +, Ed W wrote: MUA would have to support both of those URLAUTH and BURL extensions, so that it can register a temporary URL on the IMAP server, then connect to SMTP server and give that URL to BURL command (instead of sending the mail with DATA command). So from MUA's point of view it's basically the same as before: save to IMAP and after that send via SMTP. This seems like such a convolution... Given that the RFC already proposes some changes to the IMAP side then it would seem sensible to get the IMAP server to do the proxy connection to the MTA and deliver. Perhaps a simple case of adding a flag when saving into a folder would mark the message as being required to be sent onwards? Well, I'm not very happy about the idea of IMAP server sending messages to SMTP server either.. :) Go on... Why's that..? Weight of history defines that we do things in certain ways and we sometimes get stuck in a bit of a rut, but if M$ has shown us one thing it's that we should (cautiously) look at how disparate systems can be integrated into a cohesive whole (granted they also showed how you can make an insecure system also, but I think that's an optional problem). Not a dig at Dovecot, but: many software projects overlook the opportunity to integrate with other systems and become larger than the individual pieces. An example in point would be that I'm sitting here battling with SNMP + Cacti + Nagios trying to get them all to talk to each other... There has to be a reason Groundworks charges so much for selling you a package where this is already done... Spinning off at a tangent, but I fell in love with (the concept of) Lotus Notes some 18 years ago. The way I saw it was a massive distributed multi-master data store + some presentation layers which could make any database look like whatever you wanted it to look like. I used it for: - Email inbox - Calendar - Project documentation, discussion and design - Staff holiday tracking - Recruitment workflow (track all candidate details, results of interviews, contact correspondence, etc) - Loads of inhouse custom one off projects I also used it as an SQL database (with a bit of magic) and built an application used to handle billions of £s of financing for a UK bank. The IRA blew up one of the banks offices (which kind of stopped the server working so well), all the staff simply changed their Notes tel number to that of a different office and just carried on as though nothing had happened... No data lost, work carried on I had naively assumed that IMAP servers would head down the same road... To my eye it's all just unstructured data and I really don't see what's so special about a CalDev server or an SMTP server which makes it anything other than a plugin to "an unstructured data store". If anyone starts to buy that idea then lift your vision and imagine that we start to see all these just distributed databases, specialist interfaces to query them efficiently and a bunch of protocols to distribute documents between the databases - personally I would then vote we start to shift to some kind of jabber style protocol to connect all these datastores together. Once you head down that road you can imagine perhaps an MMS style storage model where the sender hosts all the mail storage and just sends a short "SMS" note to the recipient to let them know an email is waiting for them. (possibly even has some small positive anti-spam benefit...) Anyway, back to reality... So what's the problem with a protocol extension which effectively means "take this message, connect to the server which was pre-configured and fully tested by you earlier, and give it a "MAIL FROM", "RCPT TO", "DATA" and let me know the answer"? Cheers Ed W
Re: [Dovecot] Saving Sent Messages to Sent Folder
On 2010-03-05 4:59 AM, Ed W wrote: > Perhaps a simple case of adding a flag when saving into a folder > would mark the message as being required to be sent onwards? Way to error-prone for my taste. What about the luser that accidentally drops 5000 messages in there ... no thanks... ;) > The other pain in the bum about most current clients is that they: > - send the email via smtp > - post the message to the Sent folder That is what this thread is about... > - THEN they DOWNLOAD the message again from the Sent folder!! THIS is > craziness! Yeah, but I don't see a sane way to handle that one, and the client would definitely have to have direct support for 'it', whatever it turned out to be. I'm only interested in server-side solutions and was just hoping that the LSA proxy idea might be doable and wouldn't be too hard... Wishing I was a coder (for the 12th time today already)... or had the time to learn... -- Best regards, Charles
Re: [Dovecot] Mailing list's prefix
On Fri, 2010-03-05 at 05:57 -0500, Charles Marcus wrote: > On 2010-03-05 5:28 AM, Noel Butler wrote: > > On Fri, 2010-03-05 at 03:57 -0500, Charles Marcus wrote: > >> On 3/5/2010 1:17 AM, Noel Butler wrote: > >>> of the myriad of lists im' on and have been on for many many years, > >>> only nanog and bind lists dont use tags. > > >> postfix doesn't, and I know you're on there (you replied to the > >> 'copy-to-sent' thread with some helpful hints)... ;) > > > I have not been on the postfix list in some time, and i was only on it > > for a short period of time for my inquiry which went unanswered. > > Oops, my bad, confused you with Noel Jones... apologies... hehe no problems.. i knew a Noel Jones once but i doubt its the same guy i went to school with :) wrong country and all... <>
Re: [Dovecot] Mailing list's prefix
Frank Elsner put forth on 3/4/2010 3:51 PM: > Removal gives 10 chars more for the subject. Remove it. And what ever will people do with those extra 10 characters. I've got 1744 messages in my Dovecot folder and not one has a subject line too long to fit in my MUA. I say ban all the people wasting the list's time with this absolutely stupid, irrelevant subject. ;) -- Stan
Re: [Dovecot] Limit login attempts per connection?
Ed W put forth on 3/5/2010 3:44 AM: > ...but ... At least my public facing servers seem to be receiving > trickle scans where there is definite evidence of a slow distributed > bruteforcer which uses multiple IPs to try multiple usernames and I > probably only see each IP a few times a day... This is quite hard to > defend against without some kind of distributed system (and I believe > there are such things?) It's good policy these days to use ipdeny.com cidr tables and ban all countries from your servers that will never need legitimate access to them. If you're in the US, do you need to allow Chinese or Russian IP space to connect to your IMAP ports? If not, it's pretty simple to add iptables rules on all your servers to ban all the countries where a large amount of unauthorized connection attempts originate. This usually can't be done with off the shelf firewalls from the likes of Cisco et al as they don't have enough memory. For a large server farm, it would be better to have a Linux or NetBSD box running firewall duty for the farm so you only have to load these rules once and eat cycles on only one machine. Also keep in mind that iptables load time for huge country files can be pretty substantial. I experimented with this on an old dual 550 MHz machine and it took something like 30 seconds to load just the China cidrs into iptables. If you plan to load up multiple countries, initial iptables loading might take a while. Once you've got it set up and tuned it can work very well. -- Stan
Re: [Dovecot] Mailing list's prefix
Timo Sirainen wrote: > Do you think I'd break a lot of people's filters if I removed the > prefix? :) Anyone strongly for/against removing it? It seems kind of > annoying to me whenever I happen to think about it. You can filter it out "for yourself", can not you? ;-) I would suggest to keep it "as it is" even if it is "annoying you a little" :-) -- [pl>en: Andrew] Andrzej Adam Filip : a...@onet.eu It's not easy, being green. -- Kermit the Frog
[Dovecot] Number of users for one Solr instance
Dear all. (I'm new to the list.) Our regional government is considering, due to our proposal, migrate from Courier to Dovecot. 70k mailboxes. One of the most attractive features for them is the usage of indexes, and especially Solr FTS plugin. Their question is: How many users (range of users) could support one Solr instance used as index and search backend? Are there any deployment examples? I think, it would be easy to split users into different Solr instances, but it's not that easy to reorganize them, as we have to reindex if one user is moved from one instance to another. Regards. Erny Yaco Sistemas
Re: [Dovecot] Saving Sent Messages to Sent Folder
On Fri, 2010-03-05 at 06:08 -0500, Charles Marcus wrote: > Not to belabor the point, but the dovecot LDA is already talking to the > SMTP server in one direction... this is why I proposed something as > simple as possible, a 'LSA proxy'... just enough to make sure the > message is accepted for delivery, then save the copy to the Sent folder. > I imagine a lot more things could be done to, especially if sieve > support was available to it. > > That said - could this be done in a plugin? I didn't think so, but maybe > I'm wrong? With v2.0 you can do basically everything as external plugin. Even managesieve no longer requires patching Dovecot. LDA "talks" to SMTP server by calling sendmail binary. That's kind of ugly. v2.0 actually has SMTP client support, so maybe I should change it to use localhost:25 as default instead of using sendmail binary. Anyway, your LSA proxy would be able to use the SMTP client library. Although it would probably be easiest to start with the current LMTP code, because it already supports proxying and saving to local disk, those could be combined and the server could be added to support incoming SMTP clients.. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Number of users for one Solr instance
Hi, This is my first mail, fyi. I dont know internals of the plugin but it depends more on Solr than Dovecot. Also the activity level and "real-timeness" of the index is important. Assuming this as the search only machine and relatively moderate usage, a big box with lots of RAM and 4-way server may work in your case. Lee
Re: [Dovecot] Saving Sent Messages to Sent Folder
On 2010-03-05 8:43 AM, Timo Sirainen wrote: > With v2.0 you can do basically everything as external plugin. Even > managesieve no longer requires patching Dovecot. > > LDA "talks" to SMTP server by calling sendmail binary. That's kind of > ugly. v2.0 actually has SMTP client support, so maybe I should change it > to use localhost:25 as default instead of using sendmail binary. Anyway, > your LSA proxy would be able to use the SMTP client library. Although it > would probably be easiest to start with the current LMTP code, because > it already supports proxying and saving to local disk, those could be > combined and the server could be added to support incoming SMTP > clients.. Excellent! Thanks for the feedback Timo... -- Best regards, Charles
Re: [Dovecot] Mailing list's prefix
On Fri, 2010-03-05 at 14:01 +0800, Patrick Nagel wrote:
> On 2010-03-05 07:49, Karsten Bräckelmann wrote:
> > I don't recall any, other than plain refusal to use a dedicated folder,
> > rather than dumping it all into the Inbox...
>
> IMO, Michael M. Slusarz had a valid reason:
Frankly, I disagree. I do receive legit private messages, forked off of
an on-list thread. From various mailing-lists. I would not want them to
be filtered into a dedicated list folder. For that reason, Subject based
filtering is wrong, and the proper mailing-list headers do a perfect job
here.
> "[...] a common situation (at least for me) is someone who replies
> directly to your message from a list instead of to the list address.
> This will most likely cause that message to end up in your INBOX rather
> than being filtered into the appropriate mailing list mailbox. Having
It is an off-list reply. It doesn't belong in the list folder.
> I'm ok with both ways, but given that there is a considerable amount of
> opposition, I think Timo's decision to keep it as it is will work best.
Well, I'd prefer to drop the Subject tagging. But this decision isn't my
call on this list. :)
If it bugs me enough, I can always drop it locally. The procmail recipe
to accomplish that was the important point of my previous post. I didn't
argue about the tagging itself.
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [Dovecot] Mailing list's prefix
On Fri, 2010-03-05 at 09:50 +, Ed W wrote:
> I would suggest it might be an over-bold move given that it changes the
> requirement to understand your filtering LDA from beginner to
> intermediate, [...]
This is an IMAP *server* list. It should be fairly safe to assume mail
admins exceeded the beginner level for their tools...
Should. Reality on a lot of related lists eloquently shows, this is not
the case. :/
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [Dovecot] Mailing list's prefix
Quoting Timo Sirainen : Do you think I'd break a lot of people's filters if I removed the prefix? :) Anyone strongly for/against removing it? It seems kind of annoying to me whenever I happen to think about it. I personally like it, and would miss it, but it wouldn't break anything for me... I like to be able to just look at the subject listing and see what's what... If you're on a lot of lists, this is most useful... Any computer sorting/filtering I do is on non-subject headers... The subject prefix is purely for my own brain's sorting/filtering... -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns!
Re: [Dovecot] Mailing list's prefix
Eric Rostetter wrote: Quoting Timo Sirainen : Do you think I'd break a lot of people's filters if I removed the prefix? :) Anyone strongly for/against removing it? It seems kind of annoying to me whenever I happen to think about it. It wouldn't break any of my filters. Personally, I like it when a mailing list uses the [LISTNAME] prefix. I get thousands of messages per day and a bunch of list messages, and even after filtering, having that type of prefix makes it visually easier for me to get a handle on what's important and what is not. When such a prefix is missing, the message subjects when there are many messages are actually more difficult to visually process, for me, even when all of the messages within a directory are from the same list. My 2 cents. James Butler IT Director United Defense Group, LLP
Re: [Dovecot] Limit login attempts per connection?
Quoting Stan Hoeppner : It's good policy these days to use ipdeny.com cidr tables and ban all countries from your servers that will never need legitimate access to them. It can be good policy... But not always... And it is certainly not a cure-all. If the people in those countries use a proxy, or fake/spoof the IP, or use a mobile device where the IP of their mobile device (smart phone, etc) isn't listed as being from their country, they will bypass such checks. You can try instead to block all spaces, and then allow only from certain IP spaces (say, all US spaces, or all UK space, etc) but this leaves out many legit spaces in that country which ipdeny.com missed, and has the same types of problems as above as far as proxies, spoofing, etc. This sounds good at first, but when you think about it more it may actually be a worse approach (block too much instead of block too little, resource savings aside). If you're in the US, do you need to allow Chinese or Russian IP space to connect to your IMAP ports? If you are in Higher Ed, the answer is almost always yes (unless you are a very small school). The use of VPN for students isn't very common, and many faculty/staff hate VPN even though it is available to them. And VPN may not run on their smart-phone, netbook, etc. Or they may want to use it from an internet-cafe, a friend's house, a foreign university they are visiting, airport wireless, etc. (Security questions arising from that aside...) We _must_ allow access to our e-mail, web, and computation or general purpose machines from all over the world. Even if we provide VPN, HiEd is not like a normal business in that we often can NOT force the users to use the VPN access... However, even in HiEd, we can still use ipdeny.com rules for our internal-only machines... For example, I use it on my network monitoring machines since an insecure monitoring machine can quickly lead to all the machines you monitor being insecure... If not, it's pretty simple to add iptables rules on all your servers to ban all the countries where a large amount of unauthorized connection attempts originate. That can be a lot of rules... As you noted in your post, that can be a performance issue... Plus there is the cost of keeping the rules updated, etc. I'm sure there are scripts around on the net to convert the ipdeny.com files into iptables rules automatically, but there is still a cost there... I believe there is also a "geoip" patch for iptables that will do a similar job as the ipdeny.com lists... I've not tried it though... Once you've got it set up and tuned it can work very well. It can, in some cases, indeed. But not in all cases... I think you did a great service by pointing this out on the list, and that many will find this a useful tip. However, I'm not sure I agree with your opening statement that "It's good policy" since that statement is very broad, whereas policies are so site/application specific... -- Stan -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns!
Re: [Dovecot] Mailing list's prefix
If prefix is not prefer by some, but many others still want to see the tag in subject line, what about suffix? Can it be done? just a thought Joseph On Fri, Mar 5, 2010 at 2:22 PM, James Butler wrote: > Eric Rostetter wrote: >> >> Quoting Timo Sirainen : >> >>> Do you think I'd break a lot of people's filters if I removed the >>> prefix? :) Anyone strongly for/against removing it? It seems kind of >>> annoying to me whenever I happen to think about it. > > It wouldn't break any of my filters. > > Personally, I like it when a mailing list uses the [LISTNAME] prefix. I get > thousands of messages per day and a bunch of list messages, and even after > filtering, having that type of prefix makes it visually easier for me to get > a handle on what's important and what is not. When such a prefix is missing, > the message subjects when there are many messages are actually more > difficult to visually process, for me, even when all of the messages within > a directory are from the same list. > > My 2 cents. > > James Butler > IT Director > United Defense Group, LLP > >
Re: [Dovecot] Limit login attempts per connection?
Eric Rostetter put forth on 3/5/2010 2:20 PM: > It can, in some cases, indeed. But not in all cases... I think I was pretty clear in stating each sysadmin needs to evaluate what countries do/don't need to access his/her IMAP ports. > I think you did a great service by pointing this out on the list, and > that many will find this a useful tip. However, I'm not sure I agree > with your opening statement that "It's good policy" since that statement > is very broad, whereas policies are so site/application specific... Security policy needs to be very broad, does it not? It's good policy to preemptively block service access from netblocks in those parts of the world that a sysop deems will never need legitimate access to systems under his supervision. Is it not? The key here Eric is the identification and classification process. The U.S. government, large multinationals, and some higher ed institutions will probably identify the fact that they probably can't use a default deny policy for most systems because there are users in potentially every country. For many other organizations, of all sizes, they may never have a legit user in Bhutan, China, Paraguay, or Zaire needing to access their systems. In these orgs, it makes no sense not to ban such IP space. Good security must be proactive, not reactive. Be proactive everywhere you can. Good security practice is broad by nature, and is applicable to all sites and applications. -- Stan
Re: [Dovecot] Limit login attempts per connection?
Hi, On Fri, 05.03.2010 at 09:44:35 +, Ed W wrote: > I would be all in favour of a setting like this because it's easier > to configure than fail2ban... I'm no fan of fail2ban which fails to ban several things on my server(s), and is Linux only, too. You might want to look at 'sec', which can do similar jobs together with a small script that processes the respective IP numbers. http://www.estpak.ee/~risto/sec/ Kind regards, --Toni++
[Dovecot] Bug in driver-mysql.c + fix
I tried to use MySQL stored procedures from dovecot:
password_query = CALL user_pass_check('%n', '%d', '%w')
user_query = CALL user_info('%n', '%d')
This failed with the message:
User query failed: PROCEDURE imap.user_info can't return a result set
in the given context
The root of this problem is that mysql_real_connect() needs to be called with
option CLIENT_MULTI_RESULTS
and mysql_next_result() called to retrieve extra results (that will not exist
in the way that we use it).
I attach a patch that fixes this problem -- the patch is against dovecot-1.2.10.
This works for me ... but could probably do with testing by other people.
BTW: I got the same problem with exim this morning, wrote a patch that has now
been accepted.
The dovecot patch is similar.
I am looking to use mysql procedures, there are some interesting things that
can be done.
Two suggestions that I have will help with this:
1) There be variable (say) %o - this be the obscured password, ie what
password_query returns.
2) that dovecot look for either ''password_query'' as above, or
''password_check''.
password_check would NOT return a password, but would be given %o and
determine
itself if the password is correct.
It would return the other values (user, userdb_home, ...) and auth_result
that would encode success/retry/fail (0, 1, 2 - or maybe more structured
[**])
and auth_reason some human readable reason.
The ''nologin'' value encodes some of this.
The motivation for this is that my stored procedure will record the number of
successive
login failures and lock the account after 3 of them. It would also be possible
to
do time based restrictions & the such.
Also: by passing %o the password is not sent in plain to the database server -
which
will increase security.
I will publish my stored procedures when done.
Regards
[**] eg taking ideas from the HTTP codes:
200 - OK
300 5 - try again in 5 minutes
301 2 9 - try again on tuesday at 9am
400 - Login forbidden, no reason given
401 - bad username and/or password
402 - account locked administratively
403 - too many failed login attempts
500 - authentication system error
The above would allow a native language version of auth_reason to be produced
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT
Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information:
http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include
--- driver-mysql.c 2010-03-05 19:38:10.512212871 +
+++ driver-mysql.c 2010-03-05 19:38:17.0 +
@@ -132,9 +132,10 @@
}
alarm(MYSQL_CONNECT_FAILURE_TIMEOUT);
+ /* CLIENT_MULTI_RESULTS allows the use of stored procedures */
failed = mysql_real_connect(conn->mysql, host, db->user, db->password,
db->dbname, db->port, unix_socket,
- db->client_flags) == NULL;
+ db->client_flags | CLIENT_MULTI_RESULTS) ==
NULL;
alarm(0);
if (failed) {
if (conn->connect_failure_count > 0) {
@@ -429,6 +430,7 @@
struct mysql_db *db = (struct mysql_db *)_db;
struct mysql_connection *conn;
struct mysql_result *result;
+ int nr;
result = i_new(struct mysql_result, 1);
result->api = driver_mysql_result;
@@ -442,6 +444,17 @@
case 1:
/* query ok */
result->result = mysql_store_result(conn->mysql);
+ while((nr = mysql_next_result(conn->mysql)) >= 0) {
+ /* more results? -1 = no, >0 = error, 0 = yes
+* Because of the CLIENT_MULTI_RESULTS on
mysql_real_connect()
+* we need to read extra results - there should not be
any.
+*/
+ if(nr == 0) /* Just ignore more results */
+ continue;
+
+ result->api = driver_mysql_error_result;
+ goto off;
+ }
if (result->result != NULL || mysql_errno(conn->mysql) == 0)
break;
/* fallback */
@@ -451,6 +464,7 @@
break;
}
+off:
result->conn = conn;
return &result->api;
}
[Dovecot] Simple authentication problem
I'm trying to configure dovecot on a SUSE system, and having trouble with the simplest possible authentication scheme: using the standard Linux users and passwords. My configuration is: dovecot -n # 1.1.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.27.45-0.1-pae i686 openSUSE 11.1 (i586) protocols: imap pop3 ssl_listen: * ssl_disable: yes disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(pop3): /usr/lib/dovecot/pop3-login mail_executable(default): /usr/lib/dovecot/imap mail_executable(imap): /usr/lib/dovecot/imap mail_executable(pop3): /usr/lib/dovecot/pop3 mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 auth default: default_realm: renomustangcarclub.com passdb: driver: pam userdb: driver: passwd Attempts to log in: 99-26-248-100:~ dramsey$ telnet renomustangcarclub.com pop3 Trying 99.26.248.108... Connected to renomustangcarclub.com. Escape character is '^]'. +OK Dovecot ready. user dramsey +OK pass raskin -ERR Authentication failed. Looking in the mail log file: Mar 5 16:40:55 Microstar dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=99.26.248.100, lip=99.26.248.108 Any ideas?
Re: [Dovecot] Simple authentication problem
On 03/06/2010 01:39 AM David Ramsey wrote: > I'm trying to configure dovecot on a SUSE system, and having trouble with the > simplest possible authentication scheme: using the standard Linux users and > passwords. > > My configuration is: > > dovecot -n > # 1.1.7: /etc/dovecot/dovecot.conf > # OS: Linux 2.6.27.45-0.1-pae i686 openSUSE 11.1 (i586) > protocols: imap pop3 > ssl_listen: * > ssl_disable: yes > disable_plaintext_auth: no > login_dir: /var/run/dovecot/login > login_executable(default): /usr/lib/dovecot/imap-login > login_executable(imap): /usr/lib/dovecot/imap-login > login_executable(pop3): /usr/lib/dovecot/pop3-login > mail_executable(default): /usr/lib/dovecot/imap > mail_executable(imap): /usr/lib/dovecot/imap > mail_executable(pop3): /usr/lib/dovecot/pop3 > mail_plugin_dir(default): /usr/lib/dovecot/modules/imap > mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap > mail_plugin_dir(pop3): /usr/lib/dovecot/modules/pop3 > auth default: > default_realm: renomustangcarclub.com > passdb: > driver: pam > userdb: > driver: passwd > > Attempts to log in: > > 99-26-248-100:~ dramsey$ telnet renomustangcarclub.com pop3 > Trying 99.26.248.108... > Connected to renomustangcarclub.com. > Escape character is '^]'. > +OK Dovecot ready. > user dramsey > +OK > pass raskin > -ERR Authentication failed. > > Looking in the mail log file: > > Mar 5 16:40:55 Microstar dovecot: pop3-login: Disconnected (auth failed, 1 > attempts): user=, method=PLAIN, > rip=99.26.248.100, lip=99.26.248.108 > > Any ideas? grep dram...@renomustangcarclub.com /etc/passwd will produce no output. Why do you set a default_realm? Regards, Pascal -- The trapper recommends today: c01dcafe.1006...@localdomain.org
Re: [Dovecot] Simple authentication problem
On Mar 5, 2010, at 6:06 PM, Pascal Volk wrote: > On 03/06/2010 01:39 AM David Ramsey wrote: >> I'm trying to configure dovecot on a SUSE system, and having trouble with >> the simplest possible authentication scheme: using the standard Linux users >> and passwords. >> >> My configuration is: > > grep dram...@renomustangcarclub.com /etc/passwd will produce no output. > Why do you set a default_realm? I dunno. 'cause it seemed like a good idea? But getting rid of the default realm fixed the problem, thanks!
