On Fri, 13 Feb 2004, Ralf Hauser wrote:
> When using for example a mysql query with salted/crypted password for
> authentication when receiving mail via smtp (see
> http://bugs.mysql.com/?id=784), how can I prevent an attacker to have
> unlimited number of tries at guessing and verifying the password via exim?
Multiple failing AUTHs in a single session will eventually hit the
smtp_accept_max_nonmail command limit.
> Is there a way that exim could limit for example to 3 wrong passwords per
> hour?
Define an acl_smcp_auth ACL and implement whatever logic you think is
suitable therein. You could remember data in a dbm file or a database,
and/or use ${run or ${socket or ${perl to get access to external logic.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
