On 07/08/2016 03:04 PM, Alexei Batyr' wrote: > > Unfortunately spamers/fishers et al. already mastered SSL and STARTTLS and > successfully use them in brute force and other attacks.
I'd expect so. I didn't recommend TLS as a measure against brute-force attacks, I recommended it to protect passwords from leaking on untrusted networks. Authentication should always be done on a secure channel. > Account locking seems not a good idea: attacker could easily and quickly > block all known to him user accounts on particular server. And yet, temporary lockout is still a fairly standard practice. The lockouts don't need to be very long to be effective if your passwords aren't based on dictionary words. > Fail2ban blocks > attacker's IPs instead, leaving legitimate user access to his mail. Yes, fail2ban is a good tool and I advocate its use. However, it should be noted that fail2ban does not support IPv6, so attackers can use that network to avoid blacklisting for now. Your toolbox should have more than one tool. ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
