how to limit pop/imap login password attempts
aspineux at gmail.com
Wed Nov 21 19:17:48 EST 2007
On Nov 21, 2007 2:27 PM, Martin Kraus <lists_mk at wujiman.net> wrote:
> I've been trying to figure out, how to limit login attempts for cyrus
> pop/imap daemons. I'm trying to prevent brute-force password guessing.
You can try to use nginx as a proxy imap, pop and smtp protocol. (and
HTTP of course).
The goal is to have the same frontend for multiple pop/imap server and redirect
any connection to the good one depending on the username.
You need to provide a small application that depending the username
will give the
address of the server where the imap/pop account is stored. Some perl
and php sample
are on the nginx wiki
Here is a simple I wrote in python
import sys, BaseHTTPServer
print 'GET', self.client_address, self.path, self.headers
Here I redirect all connection to my unique server 127.0.0.1 without
doing any check on the user/password (Auth-Status='OK')
If the password was wrong, then the imap server will reject the
But you can keep a log of all connections with a timestamp and reject
if the password is changing too often in a small amount of time.
Dont forget to share your experiences if you get some success.
> using cyrus sasl with /etc/sasldb2 user database, which also authenticates
> postfix users. I'd like to solve this problem through sasl so I won't have to
> figure the same for postfix or keep different passwords for mailboxes and
> smtp. Is there any mechanism to do this through sasl or do I have to try doing
> it through a firewall?
> I'm running debian etch system. If imap and pop do not allow multiple login
> attempts within a single session, I could try to work around this problem
> using iptables with the recent module but it's like scratching your left ear
> with your right hand around the back of your head.
> thanks for any pointers
> Martin Kraus
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
aspineux gmail com
May the sources be with you
More information about the Info-cyrus