Open Revertron opened 2 years ago
Yes, absolutely. Rate limiting on the local IMAP and SMTP listeners should be straight-forward.
I guess the security was based on this being a localhost setup.
If you make this essentially available to the world then the username part of the login should likely also be something less obvious.
It is very convenient to host
yggmail
on some VM, and be able to connect to it from any other device in Yggdrasil. Butyggmail
is defenseless against brute-force attacks. Anyone can run some script and try to login toSMTP
orIMAP
part of the node. Moreover, if you connect to the node, it shows a valid login in the banner.It would be very good to implement some rate-control to login mechanisms with some temporary ban measures. And get rid of that public key in the banner :)