Lähettäjä: Edison F Carbol Päiväys: Vastaanottaja: Exim Mailing List Aihe: Re: [exim] Drop smtp connection before authentication
Dave,
This is what I´m doing now.
The first time this username try to authenticate, I get his IP at smtp auth
and then block it at acl_smtp_auth.
Thank you for your help.
Edison
> My server is under a kind of attack. Lot of connections are trying to
> authenticate with the same username that doesn´t exist.
>
> I´d like to drop all connections from a specific username before smtp
> authentication or any layer above.
>
> Is it possible to get the username at acl_smtp_auth?
When you say "from a specific username", do you mean the SMTP AUTH username?
In general, you can't drop connections "from a username" without first
allowing the AUTH to proceed, so you know what the username is.
If your server is handling the load just fine anyway, I'd say do nothing.
The
unwanted traffic will probably subside soon enough.
If it's *not* handling the load just fine, then the only suggestion I can
offer is to see if the same IPs are "attacking" again and again, and if they
are (and those IPs are *only* "attacking", they're not also performing
legitimate transactions), then block the offending IP addresses; either at
your firewall, or in acl_smtp_connect.
(acl_smtp_connect is probably easier to implement and could even be
automated;
but each attacking connection still uses a non-negligible amount of server
resource).