Client Authentication

[Lowell Gilbert]

Doug Hardie <bc979 at lafn.org> writes:

> That is an interesting idea, but unfortunately our users tend to
> travel a lot and need to be able to access mail from anywhere.  Also,
> static IPs can get quite expensive from some ISPs.  Our users are
> pretty much on fixed incomes and any expense is a hardship for them.

I've been thinking about setting up certificates for pretty much the
same reason, but I haven't gotten around to it yet. My standing
impression is that the setup is mostly specific to the mail server,
which in my case is currently dovecot. 

Regardless of what else you do, there are some defensive things you
could do to take some of the pressure off. They won't be a solution, but
they might make your life easier while you work on a solution. Port
knocking would make it harder for the attackers to get through to try
passwords, and it's fairly easy to install on any particular type of
client. With the variety of clients you have to deal with, the
cumulative effort may be overwhelming, but it's at least worth a
thought. Another thing to try would be temporarily blocking any IP
address that tries several different user names in a short period of
time. Again, these kinds of things won't solve your problem, but they
may reduce the intensity of the attack.

Good luck.