Martin Kraus wrote: > Hi, > I've been trying to figure out, how to limit login attempts for cyrus > pop/imap daemons. I'm trying to prevent brute-force password guessing. I'm > using cyrus sasl with /etc/sasldb2 user database, which also authenticates > postfix users. I'd like to solve this problem through sasl so I won't have to > figure the same for postfix or keep different passwords for mailboxes and > smtp. Is there any mechanism to do this through sasl or do I have to try doing > it through a firewall? > > I'm running debian etch system. If imap and pop do not allow multiple login > attempts within a single session, I could try to work around this problem > using iptables with the recent module but it's like scratching your left ear > with your right hand around the back of your head. Hi Martin, A couple of ideas come to mind. You could force the use of the 'NODICT' security flag, or force the use of mechanism which support it. see: http://www.sendmail.org/~ca/email/cyrus2/mechanisms.html Using those mechanisms would probably require a change in the way your users authenticate. Another idea, and this isn't really an approach that will work today, is to use the ldapdb auxprop plugin to store your passwords, and make use of the openldap ppolicy module to enforce password policy. This doesn't really work, because openldap ppolicy does not (yet) enforce password policy when sasl bind (which ldapdb uses) is in use. It only support simple bind. I haven't actually looked at OpenLDAP 2.4.x yet to see if it's supported. A modification to the ldapdb plugin could probably be made to perform a simple bind just after the step where it retrieves the userPassword attribute. - Dan ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
