On Nov 21, 2007 2:27 PM, Martin Kraus <lists_mk@xxxxxxxxxxx> wrote:
> Hi,
> I've been trying to figure out, how to limit login attempts for cyrus
> pop/imap daemons. I'm trying to prevent brute-force password guessing.
You can try to use nginx as a proxy imap, pop and smtp protocol. (and
HTTP of course).
The goal is to have the same frontend for multiple pop/imap server and redirect
any connection to the good one depending on the username.
You need to provide a small application that depending the username
will give the
address of the server where the imap/pop account is stored. Some perl
and php sample
are on the nginx wiki
Here is a simple I wrote in python
#!/bin/env python
import sys, BaseHTTPServer
class NginxAuth(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):
print 'GET', self.client_address, self.path, self.headers
user=self.headers["Auth-User"]
password=self.headers["Auth-Pass"]
protocol=self.headers["Auth-Protocol"]
self.send_response(200, 'OK')
self.send_header('Auth-Status', 'OK')
self.send_header('Auth-Server', '127.0.0.1')
self.send_header('Auth-Port', '143')
self.end_headers()
server=BaseHTTPServer.HTTPServer(('127.0.0.1',8081), NginxAuth)
server.serve_forever()
Here I redirect all connection to my unique server 127.0.0.1 without
doing any check on the user/password (Auth-Status='OK')
If the password was wrong, then the imap server will reject the
connection anyway.
But you can keep a log of all connections with a timestamp and reject
the connection
if the password is changing too often in a small amount of time.
Dont forget to share your experiences if you get some success.
> I'm
> using cyrus sasl with /etc/sasldb2 user database, which also authenticates
> postfix users. I'd like to solve this problem through sasl so I won't have to
> figure the same for postfix or keep different passwords for mailboxes and
> smtp. Is there any mechanism to do this through sasl or do I have to try doing
> it through a firewall?
>
> I'm running debian etch system. If imap and pop do not allow multiple login
> attempts within a single session, I could try to work around this problem
> using iptables with the recent module but it's like scratching your left ear
> with your right hand around the back of your head.
>
> thanks for any pointers
> Martin Kraus
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
--
Alain Spineux
aspineux gmail com
May the sources be with you
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
