-------- Original Message --------
Subject: Re: cyrus pop3 question
From: Jorey Bump <list@xxxxxxxxxxxxx>
To: Corey <corey_s@xxxxxxxxx>
Date: Wednesday, April 16, 2008 4:18:58 PM
Corey wrote, at 04/16/2008 04:29 PM:
I just had an experience where my server was getting slammed with thousands
of concurrent pop3 requests. This went on for over an hour before it finally
ceased, at which point I was able to start cyrus again.
Anyhow, what are some mechanisms to prevent this in the future?
I've managed to stop such brute force password attacks by requiring
encryption for all connections in imapd.conf:
sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
allowplaintext: no
sasl_minimum_layer: 128
Your environment may be different and require some tweaking. Test
thoroughly after making the changes. So far, I've only seen plaintext
brute force attacks against POP3, so maybe it's a limitation of current
malware. Nearly all modern clients can deal with this restriction, and
it's good best practice.
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
You can rate limit new connections using iptables...
http://www.debian-administration.org/articles/187
I imagine most normal connections are persistent with POP. Some IMAP
clients may not be so nice, notably squirrelmail creates and tears down
an IMAP connection for every user click.
|
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
