Re: [Exim] authenticators: how to prevent an unlimited numbe…

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: hauser
CC: exim-users
Subject: Re: [Exim] authenticators: how to prevent an unlimited number of password tries thru smtp?
On Fri, 13 Feb 2004, Ralf Hauser wrote:

> When using for example a mysql query with salted/crypted password for
> authentication when receiving mail via smtp (see
> http://bugs.mysql.com/?id=784), how can I prevent an attacker to have
> unlimited number of tries at guessing and verifying the password via exim?


Multiple failing AUTHs in a single session will eventually hit the
smtp_accept_max_nonmail command limit.

> Is there a way that exim could limit for example to 3 wrong passwords per
> hour?


Define an acl_smcp_auth ACL and implement whatever logic you think is
suitable therein. You could remember data in a dbm file or a database,
and/or use ${run or ${socket or ${perl to get access to external logic.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book