how to limit pop/imap login password attempts

Dan White dwhite at olp.net
Wed Nov 21 09:49:00 EST 2007


Martin Kraus wrote:
> Hi,
>   I've been trying to figure out, how to limit login attempts for cyrus
> pop/imap daemons. I'm trying to prevent brute-force password guessing. I'm
> using cyrus sasl with /etc/sasldb2 user database, which also authenticates
> postfix users. I'd like to solve this problem through sasl so I won't have to
> figure the same for postfix or keep different passwords for mailboxes and
> smtp. Is there any mechanism to do this through sasl or do I have to try doing
> it through a firewall? 
> 
> I'm running debian etch system. If imap and pop do not allow multiple login
> attempts within a single session, I could try to work around this problem
> using iptables with the recent module but it's like scratching your left ear
> with your right hand around the back of your head.

Hi Martin,

A couple of ideas come to mind. You could force the use of the 
'NODICT' security flag, or force the use of mechanism which 
support it. see:

http://www.sendmail.org/~ca/email/cyrus2/mechanisms.html

Using those mechanisms would probably require a change in the way 
your users authenticate.

Another idea, and this isn't really an approach that will work 
today, is to use the ldapdb auxprop plugin to store your 
passwords, and make use of the openldap ppolicy module to enforce 
  password policy.

This doesn't really work, because openldap ppolicy does not (yet) 
enforce password policy when sasl bind (which ldapdb uses) is in 
use. It only support simple bind. I haven't actually looked at 
OpenLDAP 2.4.x yet to see if it's supported.

A modification to the ldapdb plugin could probably be made to 
perform a simple bind just after the step where it retrieves the 
userPassword attribute.

- Dan


More information about the Info-cyrus mailing list