Re: Dovecot configuration issues for IMAP/POP3 (squeeze)

To: David Guntner <davidg@akaMail.net>
Cc: Linux Debian Mailing List <debian-user@lists.debian.org>
Subject: Re: Dovecot configuration issues for IMAP/POP3 (squeeze)
From: mouss <mouss@ml.netoyen.net>
Date: Sun, 18 Nov 2012 20:46:28 +0100
Message-id: <[🔎] 50A93B14.2030302@ml.netoyen.net>
Reply-to: mouss+nobulk@netoyen.net
In-reply-to: <[🔎] 50A90010.20507@akaMail.net>
References: <[🔎] 50A90010.20507@akaMail.net>

Le 18/11/2012 16:34, David Guntner a écrit :
> Thanks to those who pointed me in that direction, I've now got
> Dovecot running on my test system.  However, I've got some issues
> that I'm hoping someone here can help out with.  I did a bunch of
> googling to find some of what I needed, but I'm not sure how to
> adjust things at this point (and some stuff I couldn't find).
> 
> For anti-abuse purposes on a number of services, I use fail2ban,
> which needs to read from log files.  So far, so good.
> 
> I've discovered, somewhat to my dismay, that Dovecot will just sit
> there and cheerfully let you keep making attempts to login - even
> after I had put in 7 bad entries, it still left the connection open
> to keep on trying.  That really doesn't help legitimate mail
> programs that had a bad password put in by mistake, but it does
> help scripts/bots that are trying a brute-force attack.  So for
> part one of my current problem, is there an option that can be put
> into the config file to tell it to disconnect after {x} bad login
> attempts?

auth_failure_delay
see http://wiki.dovecot.org/MainConfig
http://www.dovecot.org/list/dovecot/2009-November/044262.html

the value is doubled after every bad attempt (from a given IP), until
a limit is reached (15 seconds).


> 
> Part 2 of my current problem has to do with the actual logging of
> the bad login attempts.  It wasn't doing it at first, but then I
> did find the auth_verbose option to allow for the logging of bad
> attempts.  I turned that on - and to my dismay, found that the log
> entry it produces is pretty much useless for something that
> fail2ban can hook into.  If you login successfully or log  out
> yourself after bad attempts, it says "imap-login" or "pop3-login"
> (which *would* be something that fail2ban can use).  However, with
> auth_verbose=yes, the bad attempts are all prefaced with
> "auth-worker(default)" for either type of connection. This is
> useless for fail2ban purposes, for reasons which should be pretty
> obvious. :-)  So - is there a way to get auth_verbose to show which
> service (IMAP/POP3) is being accessed?

why care? why not consider that {pop3+imap} is a single service group?
after all, they're using the same logins/passwords, no?

Reply to:

References:
- Dovecot configuration issues for IMAP/POP3 (squeeze)
  - From: David Guntner <davidg@akaMail.net>

Prev by Date: Re: Thunar, USB-sticks and big files
Next by Date: Re: SD card formatting problem
Previous by thread: Dovecot configuration issues for IMAP/POP3 (squeeze)
Next by thread: Re: Dovecot configuration issues for IMAP/POP3 (squeeze)
Index(es):
- Date
- Thread