Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brute-force protection #8

Open
Revertron opened this issue Jul 12, 2021 · 2 comments
Open

Brute-force protection #8

Revertron opened this issue Jul 12, 2021 · 2 comments
Labels
to do We’ll get this done

Comments

@Revertron
Copy link

It is very convenient to host yggmail on some VM, and be able to connect to it from any other device in Yggdrasil.
But yggmail is defenseless against brute-force attacks. Anyone can run some script and try to login to SMTP or IMAP part of the node. Moreover, if you connect to the node, it shows a valid login in the banner.

It would be very good to implement some rate-control to login mechanisms with some temporary ban measures.
And get rid of that public key in the banner :)
@neilalexander neilalexander added the to do We’ll get this done label Jul 12, 2021
@neilalexander
Copy link
Owner

Yes, absolutely. Rate limiting on the local IMAP and SMTP listeners should be straight-forward.

@zander
Copy link

zander commented Jul 12, 2021

I guess the security was based on this being a localhost setup.

If you make this essentially available to the world then the username part of the login should likely also be something less obvious.

@tionis tionis mentioned this issue Jul 12, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
to do We’ll get this done
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zander @Revertron @neilalexander