Re: table-passwd
On Sep 17, 2019 9:05 AM, Gilles Chehade wrote: > > Hello, > > Is there anyone using table-passwd for _any_ other purposes than sharing > with Dovecot ? > > I have built a fully virtual setup which shares credentials with Dovecot > and since I managed to do it _without_ table-passwd I'm wondering if the > table backend is really useful and if it was not created because soneone > had overlooked the first few lines of the Dovecot documentation stating: > > "For a password database, it's enough to have only the user and password > fields." > > -- > Gilles Chehade @poolpOrg > > https://www.poolp.org patreon: https://www.patreon.com/gilles > Not actually using it, but for dovecot to use it as a userdb as well as a passdb it needs the additional fields. Edgar
Re: table-passwd
Hello, Is there anyone using table-passwd for _any_ other purposes than sharing with Dovecot ? Unless I'm misunderstanding the question, I use it all the time. If an appliance or server needs to be able to send or relay e-mail it gets an entry in the table-passwd, with an individual username and password combo. No need for Dovecot access under that user, no need for a system user. I have built a fully virtual setup which shares credentials with Dovecot and since I managed to do it _without_ table-passwd I'm wondering if the table backend is really useful My MXs are using individual credentials in order to relay incoming mails to the mailbox system. These credentials can't be abused to access a mailbox though. Same is true the other way around. (Mailbox server to "smarthost".) Without the table one would need to create system users?
Re: table-passwd
I'm using it for a table authentication for accepting client smtp relaying as well as the dovecot authentication. listen on egress port submission tls-require pki mail.red-five.net auth tag "Authenticated" Is there a better way to do this and how are you doing the dovecot authentication? Nick On 17/09/2019 15:05, Gilles Chehade wrote: Hello, Is there anyone using table-passwd for _any_ other purposes than sharing with Dovecot ? I have built a fully virtual setup which shares credentials with Dovecot and since I managed to do it _without_ table-passwd I'm wondering if the table backend is really useful and if it was not created because soneone had overlooked the first few lines of the Dovecot documentation stating: "For a password database, it's enough to have only the user and password fields."
table-passwd
Hello, Is there anyone using table-passwd for _any_ other purposes than sharing with Dovecot ? I have built a fully virtual setup which shares credentials with Dovecot and since I managed to do it _without_ table-passwd I'm wondering if the table backend is really useful and if it was not created because soneone had overlooked the first few lines of the Dovecot documentation stating: "For a password database, it's enough to have only the user and password fields." -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Failed logins hammer/filter.
On Mon, Sep 16, 2019 at 10:20:42AM +0300, Reio Remma wrote: > Hello! > Hello, > Until upgrading to OpenSMTPD 6.6 I used fail2ban to ban excessive login > failures from IPs, but that doesn't work any more with the log format > changed from: > > smtp event=failed-command address=185.13.39.7 host=vps-33288.fhnet.fr > command="AUTH LOGIN (password)" result="535 Authentication failed" > | > smtp failed-command command="AUTH LOGIN (password)" result="535 > Authentication failed" > using the human logs for this kind of programmatic stuff is no longer supported, the proper way is to write a filter that registers for all register events and parses that output instead. we assume programs to read reports so the format is versionned and is going to be easily parsed, we assume humans to read the logs so we're going to adapt the logs without caring too much about scripts. > Surprisingly SMTP isn't brute forced that much, but as I registered 472 > failed authentications from a single IP yesterday, I'm going to have a Go at > a filter too. :) > I do get a lot of brute-force but it mostly comes from compromised hosts so filtering on !rdns, !fcrdns and matching some common dynamic patterns kills the bulk of them. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles