james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexei Osipov (JIRA)" <server-...@james.apache.org>
Subject [jira] [Created] (JAMES-1723) Add protection from password bruteforcing
Date Tue, 19 Apr 2016 23:27:25 GMT
Alexei Osipov created JAMES-1723:

             Summary: Add protection from password bruteforcing
                 Key: JAMES-1723
                 URL: https://issues.apache.org/jira/browse/JAMES-1723
             Project: James Server
          Issue Type: New Feature
    Affects Versions: 3.0-beta4, Trunk, 3.0.0-beta5
            Reporter: Alexei Osipov

Right now James has no mechanisms of protection against password forcing.

For example, it's possible to connect to James via SMTP and execute AUTH command as many times
as needed to guess user's password.

Common practices that may be used by James:
1) Force disconnect after few unsuccessful AUTH requests.
2) Count failed AUTH requests by IP address and reject connections from that IP if number
of failures reached some threshold.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message