how to limit pop/imap login password attempts

Alain Spineux aspineux at
Wed Nov 21 19:17:48 EST 2007

On Nov 21, 2007 2:27 PM, Martin Kraus <lists_mk at> wrote:
> Hi,
>   I've been trying to figure out, how to limit login attempts for cyrus
> pop/imap daemons. I'm trying to prevent brute-force password guessing.

You can try to use nginx as a proxy imap, pop and smtp protocol. (and
HTTP of course).
The goal is to have the same frontend for multiple pop/imap server and redirect
any connection to the good one depending on the username.

You need to provide a small application that depending the username
will give the
address of the server where the imap/pop account is stored. Some perl
and php sample
are on the nginx wiki

Here is a simple I wrote in python

#!/bin/env python

import sys, BaseHTTPServer

class NginxAuth(BaseHTTPServer.BaseHTTPRequestHandler):

    def do_GET(self):
        print 'GET', self.client_address, self.path, self.headers


        self.send_response(200, 'OK')
        self.send_header('Auth-Status', 'OK')
        self.send_header('Auth-Server', '')
        self.send_header('Auth-Port', '143')

server=BaseHTTPServer.HTTPServer(('',8081), NginxAuth)

Here I redirect all connection to my unique server without
doing any check on the user/password (Auth-Status='OK')
If the password was wrong, then the imap server will reject the
connection anyway.
But you can keep a log of all connections with a timestamp and reject
the connection
if the password is changing too often in a small amount of time.

Dont forget to share your experiences if you get some success.

> I'm
> using cyrus sasl with /etc/sasldb2 user database, which also authenticates
> postfix users. I'd like to solve this problem through sasl so I won't have to
> figure the same for postfix or keep different passwords for mailboxes and
> smtp. Is there any mechanism to do this through sasl or do I have to try doing
> it through a firewall?
> I'm running debian etch system. If imap and pop do not allow multiple login
> attempts within a single session, I could try to work around this problem
> using iptables with the recent module but it's like scratching your left ear
> with your right hand around the back of your head.
> thanks for any pointers
> Martin Kraus
> ----
> Cyrus Home Page:
> Cyrus Wiki/FAQ:
> List Archives/Info:

Alain Spineux
aspineux gmail com
May the sources be with you

More information about the Info-cyrus mailing list