Protection against POP or IMAP Denial of Service (DOS)

[Jorey Bump]

Stéphane BERTHELOT wrote, at 05/20/2008 06:32 PM:

> - increase security level (SSL/ CRAM-MD5/ ...). In a wonderful world it 
> would be possible but I would bet (but I've not checked yet) that some 
> of our users have pretty broken clients (like old Outl**k...) that would 
> not be able to login anymore. Then we would be stuck or denying some 
> service ourselves ...

I suggested this, and I've been extremely happy with the results. 
Offering secure logins is essential these days, but allowing unencrypted 
  PLAIN or LOGIN authentication is no longer necessary (and quite 
arguably foolish). At this point, anyone with a system so antiquated it 
can't cope with TLS, SSL or other secure logins poses more of a threat 
to your service than a drive-by attacker. It stopped the brute force 
attacks dead in their tracks on my servers. But this will only last 
until the attackers add TLS support to their malware, so I agree it 
would be nice if the Cyrus IMAPd code could be hardened against a DoS. I 
haven't experienced this debilitating effect with other POP3 servers 
I've used.

In any case, I've found this configuration to be quite effective (I'm 
using sasldb), and it allowed me to identify and help users that were 
not configuring clients securely:

sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
allowplaintext: no
sasl_minimum_layer: 128

Once everyone got settled, I haven't heard a peep, and there are no more 
  DoS-related complaints.

I also use the following iptables rules to only allow up to 2 
connections in a 15 second period, but haven't determined if they're 
effective:

iptables -A INPUT -p tcp -m state --state NEW --dport 110 -m recent 
--update --seconds 15 --hitcount 2 -j DROP
iptables -A INPUT -p tcp -m state --state NEW --dport 110 -m recent 
--set -j ACCEPT

None of my POP3 users have complained, but I don't have many. Most of my 
users use IMAP.