5 messages in net.sourceforge.lists.courier-users[courier-users] Re: login frequency R...
FromSent OnAttachments
Brian GrossmanDec 20, 2000 12:31 pm 
jhen...@bogon.comDec 20, 2000 2:32 pm 
Sam VarshavchikDec 20, 2000 3:01 pm 
Sam VarshavchikDec 20, 2000 3:41 pm 
Brian GrossmanDec 20, 2000 4:02 pm 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:[courier-users] Re: login frequency Re: courier-users digest, Vol 1 #262 - 16 msgsActions...
From:Brian Grossman (bri@SoftHome.net)
Date:Dec 20, 2000 12:31:48 pm
List:net.sourceforge.lists.courier-users

On Wed, Dec 20, 2000 at 01:14:54PM +0200, Mike Jackson wrote:

Does anyone have a method of limiting client login frequency from the server side? Ideally, it would pop a message back to the client informing him to set his frequency to x minutes, and would not allow him back on until it noticed a frequency of login attempts less than x in the syslog. While watching my log files for a new server, I noticed that many people are logging in every 30 seconds around the clock. One person was even logging in once per second!

Here's one approach. This has grown here from another direction, so the pure courier solution is probably a bit different.

We have a custom auth module that talks to a custom daemon that talks to our database. The daemon also keeps track of a users' check frequency (rolling timeout). For us, letting them pop about 4 times every 5 minutes is our point of equilibrium. But tell them something like once every 10 minutes. That way, they'll hopefully listen to you and set their pop client to check every ten minutes. Many windows pop clients check once to count the messages, then another time to get the messages. Then the user double-click on the send&receive button, and poof 4 times in 5 seconds.

Actually, we're only using courier for the webmail so far. Our pop system is still back in the qmail ages. In that pop auth system (using the same daemon), there's a way to pass around meta information (like "don't check more than once every 10 minutes; see http:blah"). Is there in courier? It would be handy in smtpd and webmail too.

Please cc me on replies. I get courier-users as a digest and don't usually look at it very hard.

Sounds to me that what you really want to do is block too-frequent connections from the same IP address, not the same user account.

Otherwise, by the time you have accepted the POP3 connection, authenticated the user, looked them up in a database of locked-out users and refused their login, you might as well just let them into their maildrop anyway.

But it does thwack the users on the head and they'll back off in the future.

Brian