Lena@??? wrote:
> Hi,
>
> Does following look reasonable? The "2" is because of
> http://www.exim.org/lurker/message/20031019.140442.419ec907.en.html
>
> acl_check_auth:
> drop message = authentication is allowed only once per message in order \
> to slow down bruteforce cracking
> condition = ${if def:acl_m_auth}
> condition = ${if >{$acl_m_auth}{2}}
> delay = 20s
>
> warn condition = ${if !def:acl_m_auth}
> set acl_m_auth = 0
>
> accept set acl_m_auth = ${eval:$acl_m_auth+1}
>
>
Not relevant to the acl snippet, but w/r 'brute force' auth cracking
attempts in general:
- have you first insured that your own client submission requires auth
and that auth cannot be done on port 25, but rather only on port 587?
- are you forcing (at least) TLS-only on port 587, with no fallback to
unencrypted?
If so, and you *still* see significant attacks, (tcpdump?) then:
- are they from random sources?
- or are they perhaps a directed attack from a small lot of IP's that
you could fully or partially block with firewall rules?
We take a further step (CAVEAT - flames may follow) and run the older
SSL-only protocol once implemented on port 465, but on port 587 instead.
Most MUA are easily set to SSL-only and port 587, even though not the
default.
Result - no significant attempts to break-in. Near-as-dammit zero.
Which - aside from not iritating Exim, reduces bandwidth consumption.
HTH,
Bill