Details
-
New Feature
-
Status: Open
-
Major
-
Resolution: Unresolved
-
Trunk, 3.0-beta4, 3.0.0-beta5
-
None
-
None
Description
Right now James has no mechanisms of protection against password forcing.
For example, it's possible to connect to James via SMTP and execute AUTH command as many times as needed to guess user's password.
Common practices that may be used by James:
1) Force disconnect after few unsuccessful AUTH requests.
2) Count failed AUTH requests by IP address and reject connections from that IP if number of failures reached some threshold.