Security risk of POP3 & IMAP protocols
Jorey Bump
list at joreybump.com
Fri Feb 13 10:41:10 EST 2009
Alain Williams wrote, at 02/13/2009 10:30 AM:
> [23~On Fri, Feb 13, 2009 at 03:21:06PM +0000, Ian Eiloart wrote:
>>
>> --On 13 February 2009 14:35:43 +0000 Alain Williams <addw at phcomp.co.uk>
>> wrote:
>>
>>> That got me thinking ....
>>> I rate limit ssh connections to try to prevent dictionary attacks (3
>>> attempts/3 minutes/IP address). If I were to do the same with IMAP would
>>> that cause problems with some clients, ie are there some clients that to
>>> many connect/disconnects ?
>> Yes. Anything that opens a bunch of mailboxes at the same time might be
>> doing way more than that. You should be measuring "failed attempts", not
>> "attempts".
>
> Yes, but I do the rate limiting with iptables (Linux firewall).
> I don't know how to feedback failed attempts to iptables.
I have yet to encounter an automated brute force attack that negotiates
STARTTLS, SSL or any of the more secure SASL mechanisms. In time, this
will probably change, but you will get more bang for your buck now if
you enforce encrypted connections. You can still run an unencrypted port
on localhost (or restrict access another way) if you need it for webmail.
More information about the Info-cyrus
mailing list