Currently Being ModeratedJan 13, 2012 5:02 PM (in response to GreatGeek)
Dear GreatGeek: [great name, by the way]
I endure these types of casual script kiddie attacks on my Dovecot-based Snow Leopard Server mail server on a daily basis. My best suggestion would be to not support root or admin accounts with mail service, and enforce a password policy so that no account passwords can be guessed by brute force attack. For example, look at Apple's password policies when you set up iTunes / iCloud accounts [at least eight characters, with a mix of lowercase and uppercase letters, and at least one numeric digit thrown in]. Also, the passwords should not be based on any commonly known names / nicknames for the user, her family, or pets.
Unfortunately, if you’re going to allow mail logins from anywhere on the Internet, these types of attacks are to be expected. Let me know if you find any simple way to filter them out. Where it gets really gnarly is if the attacker hits you with enough login requests per second (say anything more five or ten per second). If this type of attack lasts for just a matter of minutes, Dovecot can be overwhelmed and legit users can’t log in. It’s a type of unintentional denial-of-service attack coming from a single attacking host (not even a distributed attack, which would be even worse and harder to protect against!).
The reason I ran across your post today is because our mail server sustained nearly 2,900 POP logins over an eight minute period which brought our mail service to a crawl. In looking a the pattern of login names used, I can see that it would be difficult to tune out these requests by adjusting parameters in the /etc/dovecot/dovecot.conf configuration file.
I’ve opened up a thread at https://discussions.apple.com/thread/3651526 to answer the question: is there any way to filter out hard cord attacks in Dovecot? You might want to keep an eye on this thread to see if any suggestions are posted which might solve your question as well.