[Dovecot] Proxying Authentication on both sides

Timo Sirainen tss at iki.fi
Fri Mar 30 18:03:00 EEST 2012


On 30.3.2012, at 17.51, Andy Dills wrote:

> On Fri, 30 Mar 2012, Timo Sirainen wrote:
> 
>> On 30.3.2012, at 16.25, Andy Dills wrote:
>> 
>>> However, when we have the front-end server do a static director proxy, the 
>>> problem is that authentication failures are logged on the back-end server 
>>> with a source IP of the proxy, and no authentication failure with the 
>>> client IP address is logged on the proxy. So, fail2ban (which is a MUST 
>>> these days, at least for us) will not be able to properly filter out the 
>>> brute force attackers.
>> 
>> This is a simple fix (and something you should do anyway): Add the 
>> proxy's IP/netmask to login_trusted_networks setting in the remote 
>> server. For this to work with POP3 you need v2.1.2+.
> 
> Well, the problem isn't that my proxies would be banned; the problem is I 
> have no way of seeing the remote IP of the failed authentication so I can 
> ban the people who should be banned.

This is what the setting changes. The remote IP will be seen by the backends.

> It seems obvious in retrospect, but for whatever reason the way the docs 
> were written made me feel like having the full authentication happen on 
> both the proxy and the backend wasn't possible.

Oh. This is a pretty common configuration. I guess the docs could be clarified.


More information about the dovecot mailing list