yggmail icon indicating copy to clipboard operation
yggmail copied to clipboard

Published 20 hours ago verified publisher icon neilalexander

Brute-force protection

Open Revertron opened this issue 4 years ago • 2 comments

It is very convenient to host yggmail on some VM, and be able to connect to it from any other device in Yggdrasil. But yggmail is defenseless against brute-force attacks. Anyone can run some script and try to login to SMTP or IMAP part of the node. Moreover, if you connect to the node, it shows a valid login in the banner.

It would be very good to implement some rate-control to login mechanisms with some temporary ban measures. And get rid of that public key in the banner :)

Revertron avatar Jul 12 '21 16:07 Revertron

Yes, absolutely. Rate limiting on the local IMAP and SMTP listeners should be straight-forward.

neilalexander avatar Jul 12 '21 16:07 neilalexander

I guess the security was based on this being a localhost setup.

If you make this essentially available to the world then the username part of the login should likely also be something less obvious.

zander avatar Jul 12 '21 18:07 zander