neilalexander / yggmail

End-to-end encrypted email for the mesh networking age

Home Page:https://matrix.to/#/#yggmail:matrix.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Brute-force protection

Revertron opened this issue · comments

It is very convenient to host yggmail on some VM, and be able to connect to it from any other device in Yggdrasil.
But yggmail is defenseless against brute-force attacks. Anyone can run some script and try to login to SMTP or IMAP part of the node. Moreover, if you connect to the node, it shows a valid login in the banner.

It would be very good to implement some rate-control to login mechanisms with some temporary ban measures.
And get rid of that public key in the banner :)

commented

Yes, absolutely. Rate limiting on the local IMAP and SMTP listeners should be straight-forward.

commented

I guess the security was based on this being a localhost setup.

If you make this essentially available to the world then the username part of the login should likely also be something less obvious.