Does anyone know a clever way to protect imap, like we can do with obspamd for smtp ? With obspamd we can use HUGE lists, it uses db with fake mail server and rdr pf rules....
Many of the imap attacks are from IPs on dnsbl-1-uceprotect that I rsync and clean with a cron, but it is too large to use in a table on pf.
Open to helpful suggestions, tia.
======== background for question ==========
I know I should have given up on uw-imap long ago, but I only have less that fifty legacy email accounts on server and uw imap has worked fine for decades and each have a lot of archived email in mixed formats. I am using xinetd to wrap it and pf as firewall. I have a homegrown mix of blacklists and I rsync uceprotect and cbl-list and dnsbl-1-uceprotect but they are to large for pf tables. I feed cbl-list into obspamd by breaking into chunks and for protecting sendmail that has worked very well. Blacklists like cbl and uceprotect are way to huge to use as a pf table.
Over the last couple of days I am getting a very large number of imap guessing attempts and the variations of the ips are so great and non repeating, max try 1 each, that methods like fail2ban don't matter because even if it triggered, hundreds of IP addresses are being used to try guessing passwords. Fortunately most of the IPs are listed on the uceprotect table, but unfortunately the uceprotect-1 is so huge I cannot use with firewall as a table, 180K+ entries.
wc -l dnsbl-1-uceprotect.cidr
183706 dnsbl-1-uceprotect.cidr
Yes I should migrate to dovecot, but over the years we have a mix of mail formats that are incompatible and would require email file/folders to be converted individually from uw to replacment.
But could dovecot do anybetter against attacks like this? can dovecot use an external HUGE blacklist? could any tcpwrapper use a huge external blacklist?
Many of the imap attacks are from IPs on dnsbl-1-uceprotect that I rsync and clean with a cron, but it is too large to use in a table on pf.
Open to helpful suggestions, tia.
======== background for question ==========
I know I should have given up on uw-imap long ago, but I only have less that fifty legacy email accounts on server and uw imap has worked fine for decades and each have a lot of archived email in mixed formats. I am using xinetd to wrap it and pf as firewall. I have a homegrown mix of blacklists and I rsync uceprotect and cbl-list and dnsbl-1-uceprotect but they are to large for pf tables. I feed cbl-list into obspamd by breaking into chunks and for protecting sendmail that has worked very well. Blacklists like cbl and uceprotect are way to huge to use as a pf table.
Over the last couple of days I am getting a very large number of imap guessing attempts and the variations of the ips are so great and non repeating, max try 1 each, that methods like fail2ban don't matter because even if it triggered, hundreds of IP addresses are being used to try guessing passwords. Fortunately most of the IPs are listed on the uceprotect table, but unfortunately the uceprotect-1 is so huge I cannot use with firewall as a table, 180K+ entries.
wc -l dnsbl-1-uceprotect.cidr
183706 dnsbl-1-uceprotect.cidr
Yes I should migrate to dovecot, but over the years we have a mix of mail formats that are incompatible and would require email file/folders to be converted individually from uw to replacment.
But could dovecot do anybetter against attacks like this? can dovecot use an external HUGE blacklist? could any tcpwrapper use a huge external blacklist?