Thanks to those who pointed me in that direction, I've now got Dovecot
running on my test system. However, I've got some issues that I'm
hoping someone here can help out with. I did a bunch of googling to
find some of what I needed, but I'm not sure how to adjust things at
this point (and some stuff I couldn't find).
For anti-abuse purposes on a number of services, I use fail2ban, which
needs to read from log files. So far, so good.
I've discovered, somewhat to my dismay, that Dovecot will just sit there
and cheerfully let you keep making attempts to login - even after I had
put in 7 bad entries, it still left the connection open to keep on
trying. That really doesn't help legitimate mail programs that had a
bad password put in by mistake, but it does help scripts/bots that are
trying a brute-force attack. So for part one of my current problem, is
there an option that can be put into the config file to tell it to
disconnect after {x} bad login attempts?
Part 2 of my current problem has to do with the actual logging of the
bad login attempts. It wasn't doing it at first, but then I did find
the auth_verbose option to allow for the logging of bad attempts. I
turned that on - and to my dismay, found that the log entry it produces
is pretty much useless for something that fail2ban can hook into. If
you login successfully or log out yourself after bad attempts, it says
"imap-login" or "pop3-login" (which *would* be something that fail2ban
can use). However, with auth_verbose=yes, the bad attempts are all
prefaced with "auth-worker(default)" for either type of connection.
This is useless for fail2ban purposes, for reasons which should be
pretty obvious. :-) So - is there a way to get auth_verbose to show
which service (IMAP/POP3) is being accessed?
--Dave
Attachment:
signature.asc
Description: OpenPGP digital signature