Brute-force protection
Revertron opened this issue · comments
It is very convenient to host yggmail
on some VM, and be able to connect to it from any other device in Yggdrasil.
But yggmail
is defenseless against brute-force attacks. Anyone can run some script and try to login to SMTP
or IMAP
part of the node. Moreover, if you connect to the node, it shows a valid login in the banner.
It would be very good to implement some rate-control to login mechanisms with some temporary ban measures.
And get rid of that public key in the banner :)
Yes, absolutely. Rate limiting on the local IMAP and SMTP listeners should be straight-forward.
I guess the security was based on this being a localhost setup.
If you make this essentially available to the world then the username part of the login should likely also be something less obvious.