Gordon Messmer writes: > Authentication over plain text is only allowed if ESMTPAUTH is set in > etc/courier/esmtpd. To maintain password security, that setting should > be empty. Instead, use ESMTPAUTH_TLS to enable authentication only > after TLS is initialized.
Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and successfully use them in brute force and other attacks. > I wrote earlier that protecting authentication with encryption would > leave you with only tools like fail2ban. I should have mentioned that > the other good option is using an authentication backend that'll lock > accounts temporarily when there are repeated auth failures. Account locking seems not a good idea: attacker could easily and quickly block all known to him user accounts on particular server. Fail2ban blocks attacker's IPs instead, leaving legitimate user access to his mail. Probably better solution would be a similar blocking at MTA level, without log parsing and firing firewall rules. Just FYI: fail2ban block list of my relatively small mail server (approx. 350 users) now contains more than 1500 IPs. Additional advantage - reducing overall load to the server because blocked botnet members never more make continuous connections to the MTA. -- Alexei. ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
