how to limit pop/imap login password attempts
Dan White
dwhite at olp.net
Wed Nov 21 09:49:00 EST 2007
Martin Kraus wrote:
> Hi,
> I've been trying to figure out, how to limit login attempts for cyrus
> pop/imap daemons. I'm trying to prevent brute-force password guessing. I'm
> using cyrus sasl with /etc/sasldb2 user database, which also authenticates
> postfix users. I'd like to solve this problem through sasl so I won't have to
> figure the same for postfix or keep different passwords for mailboxes and
> smtp. Is there any mechanism to do this through sasl or do I have to try doing
> it through a firewall?
>
> I'm running debian etch system. If imap and pop do not allow multiple login
> attempts within a single session, I could try to work around this problem
> using iptables with the recent module but it's like scratching your left ear
> with your right hand around the back of your head.
Hi Martin,
A couple of ideas come to mind. You could force the use of the
'NODICT' security flag, or force the use of mechanism which
support it. see:
http://www.sendmail.org/~ca/email/cyrus2/mechanisms.html
Using those mechanisms would probably require a change in the way
your users authenticate.
Another idea, and this isn't really an approach that will work
today, is to use the ldapdb auxprop plugin to store your
passwords, and make use of the openldap ppolicy module to enforce
password policy.
This doesn't really work, because openldap ppolicy does not (yet)
enforce password policy when sasl bind (which ldapdb uses) is in
use. It only support simple bind. I haven't actually looked at
OpenLDAP 2.4.x yet to see if it's supported.
A modification to the ldapdb plugin could probably be made to
perform a simple bind just after the step where it retrieves the
userPassword attribute.
- Dan
More information about the Info-cyrus
mailing list