james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexei Osipov (JIRA)" <server-...@james.apache.org>
Subject [jira] [Issue Comment Deleted] (JAMES-1723) Add protection from password bruteforcing
Date Wed, 20 Apr 2016 11:57:25 GMT

     [ https://issues.apache.org/jira/browse/JAMES-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alexei Osipov updated JAMES-1723:
---------------------------------
    Comment: was deleted

(was: I use James 3.x (built from sources) and I can see IP of an attacker in logs. It's just
sad I can't do anything with that using built-in tools that James has.)

> Add protection from password bruteforcing
> -----------------------------------------
>
>                 Key: JAMES-1723
>                 URL: https://issues.apache.org/jira/browse/JAMES-1723
>             Project: James Server
>          Issue Type: New Feature
>    Affects Versions: Trunk, 3.0-beta4, 3.0.0-beta5
>            Reporter: Alexei Osipov
>
> Right now James has no mechanisms of protection against password forcing.
> For example, it's possible to connect to James via SMTP and execute AUTH command as many
times as needed to guess user's password.
> Common practices that may be used by James:
> 1) Force disconnect after few unsuccessful AUTH requests.
> 2) Count failed AUTH requests by IP address and reject connections from that IP if number
of failures reached some threshold.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message