how to limit pop/imap login password attempts

Alain Spineux aspineux at gmail.com
Wed Nov 21 19:17:48 EST 2007 

On Nov 21, 2007 2:27 PM, Martin Kraus <lists_mk at wujiman.net> wrote:
> Hi,
>   I've been trying to figure out, how to limit login attempts for cyrus
> pop/imap daemons. I'm trying to prevent brute-force password guessing.

You can try to use nginx as a proxy imap, pop and smtp protocol. (and
HTTP of course).
The goal is to have the same frontend for multiple pop/imap server and redirect
any connection to the good one depending on the username.

You need to provide a small application that depending the username
will give the
address of the server where the imap/pop account is stored. Some perl
and php sample
are on the nginx wiki

Here is a simple I wrote in python

#!/bin/env python

import sys, BaseHTTPServer

class NginxAuth(BaseHTTPServer.BaseHTTPRequestHandler):

    def do_GET(self):
        print 'GET', self.client_address, self.path, self.headers

        user=self.headers["Auth-User"]
        password=self.headers["Auth-Pass"]
        protocol=self.headers["Auth-Protocol"]

        self.send_response(200, 'OK')
        self.send_header('Auth-Status', 'OK')
        self.send_header('Auth-Server', '127.0.0.1')
        self.send_header('Auth-Port', '143')
        self.end_headers()

server=BaseHTTPServer.HTTPServer(('127.0.0.1',8081), NginxAuth)
server.serve_forever()

Here I redirect all connection to my unique server 127.0.0.1 without
doing any check on the user/password (Auth-Status='OK')
If the password was wrong, then the imap server will reject the
connection anyway.
But you can keep a log of all connections with a timestamp and reject
the connection
if the password is changing too often in a small amount of time.


Dont forget to share your experiences if you get some success.

> I'm
> using cyrus sasl with /etc/sasldb2 user database, which also authenticates
> postfix users. I'd like to solve this problem through sasl so I won't have to
> figure the same for postfix or keep different passwords for mailboxes and
> smtp. Is there any mechanism to do this through sasl or do I have to try doing
> it through a firewall?
>
> I'm running debian etch system. If imap and pop do not allow multiple login
> attempts within a single session, I could try to work around this problem
> using iptables with the recent module but it's like scratching your left ear
> with your right hand around the back of your head.
>
> thanks for any pointers
> Martin Kraus
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>



-- 
Alain Spineux
aspineux gmail com
May the sources be with you

More information about the Info-cyrus mailing list