Re: [exim] Drop smtp connection before authentication

Top Page
Delete this message
Reply to this message
Author: Exim Mailing List
Date:  
To: Edison F Carbol
CC: Exim Mailing List
New-Topics: Re: [exim] Drop smtp connection before authentication
Subject: Re: [exim] Drop smtp connection before authentication
On Mon, Jul 20, 2009 at 10:12:29AM -0300, Edison F Carbol wrote:
> Is it possible to drop smtp connection before authentication per username?
>
> My server is congested with many attempts to authenticate with a deleted
> account.


Here's what we use to automatically control failed authentication attempts.
If you have this in place, your server will automatically begin rejecting
hosts that send repeated auth failure attempts.

You can change the BADAUTH_LIMIT macro to any rate you like, but we use
15 failed attempts in 2 hours as the threshold.

In the global config section of your config:

BADAUTH_LIMIT = 15 / 2h

acl_smtp_connect = check_connection
acl_smtp_quit = check_quit
acl_smtp_notquit = check_notquit

In the ACL section of your config:

   check_connection:
       drop message   = Too many failed authentication attempts
            ratelimit = BADAUTH_LIMIT / noupdate / badauth:$sender_host_address


   check_quit:
       accept condition = ${if eq{$authentication_failed}{1}}
              ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address


   check_notquit:
       accept condition = ${if eq{$authentication_failed}{1}}
              ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address


We need the rate limiting portion in BOTH the "quit" and "notquit" sections
for this to work properly, as you don't know how the connection will
end up closing.

You also don't want to put the ratelimiting in the RCPT or DATA section,
because the connection will never get that far (they haven't authenticated!).
You can't put it in the MAIL section either because, again, they haven't
authenticated.

Thought someone else might find this useful. Rate limits are fun. :)

--
Dean Brooks
dean@???