[
https://issues.apache.org/jira/browse/JAMES-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean Helou resolved JAMES-1723.
-------------------------------
Resolution: Fixed
the integration of crowdsec allows to add rules to protect against bruteforcing
in a way which is compatible with distributed systems. documentation is a bit
sparse but I was able to apply it to my deployment so its doable
see
https://issues.apache.org/jira/browse/JAMES-3897
https://github.com/apache/james-project/tree/master/third-party/crowdsec
> Add protection from password bruteforcing
> -----------------------------------------
>
> Key: JAMES-1723
> URL: https://issues.apache.org/jira/browse/JAMES-1723
> Project: James Server
> Issue Type: New Feature
> Components: SMTPServer
> Affects Versions: Trunk, 3.0-beta4, 3.0.0-beta5
> Reporter: Alexei Osipov
> Priority: Major
>
> Right now James has no mechanisms of protection against password forcing.
> For example, it's possible to connect to James via SMTP and execute AUTH
> command as many times as needed to guess user's password.
> Common practices that may be used by James:
> 1) Force disconnect after few unsuccessful AUTH requests.
> 2) Count failed AUTH requests by IP address and reject connections from that
> IP if number of failures reached some threshold.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
