From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 13:27:20 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 7F3C27C1 for ; Sun, 24 Mar 2013 13:27:20 +0000 (UTC) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id 58A95A99 for ; Sun, 24 Mar 2013 13:27:20 +0000 (UTC) Received: from lowell-desk.lan (lowell-desk.lan [172.30.250.41]) by be-well.ilk.org (Postfix) with ESMTP id CD72E33C1D; Sun, 24 Mar 2013 09:27:08 -0400 (EDT) Received: by lowell-desk.lan (Postfix, from userid 1147) id 5479C39841; Sun, 24 Mar 2013 09:27:05 -0400 (EDT) From: Lowell Gilbert To: Doug Hardie Subject: Re: Client Authentication References: <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> Date: Sun, 24 Mar 2013 09:27:05 -0400 In-Reply-To: <8680FAB3-4943-4F91-935B-E11511C3FD4E@lafn.org> (Doug Hardie's message of "Sat, 23 Mar 2013 22:16:37 -0700") Message-ID: <44d2upylli.fsf@lowell-desk.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: "freebsd-questions@freebsd.org List" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 13:27:20 -0000 Doug Hardie writes: > That is an interesting idea, but unfortunately our users tend to > travel a lot and need to be able to access mail from anywhere. Also, > static IPs can get quite expensive from some ISPs. Our users are > pretty much on fixed incomes and any expense is a hardship for them. I've been thinking about setting up certificates for pretty much the same reason, but I haven't gotten around to it yet. My standing impression is that the setup is mostly specific to the mail server, which in my case is currently dovecot. Regardless of what else you do, there are some defensive things you could do to take some of the pressure off. They won't be a solution, but they might make your life easier while you work on a solution. Port knocking would make it harder for the attackers to get through to try passwords, and it's fairly easy to install on any particular type of client. With the variety of clients you have to deal with, the cumulative effort may be overwhelming, but it's at least worth a thought. Another thing to try would be temporarily blocking any IP address that tries several different user names in a short period of time. Again, these kinds of things won't solve your problem, but they may reduce the intensity of the attack. Good luck.