Re: [exim] Drop smtp connection before authentication

On Tue, Jul 21, 2009 at 06:05:18PM -0700, Todd Lyons wrote:
> On Mon, Jul 20, 2009 at 11:57 AM, Dean Brooks<dean@???> wrote:
> > You can change the BADAUTH_LIMIT macro to any rate you like, but we use
> > 15 failed attempts in 2 hours as the threshold.
>
> In the event that a user gets blocked, how do you expediently handle
> the case where tech support helps a user fix the password and then
> retries to send. What do you do to puge the db file that holds this
> info? Is it actually in a hints database? Or is it all in memory at
> this point?

The ratelimits are using the "leaky" recording method, which is the
default type of rate limiting unless "strict" is otherwise specified.
So, even if they send 1,000 bad auth attempts, the database will only
have recorded 15 attempts (in 2 hours).

Because the recorded count decays constantly and linearly over the
time period, a "slot" would open up every 8 minutes (120 min / 15
attempts). In the few cases where we've had a customer call, we've
just told customer to wait up to 10 minutes before trying again.

The shorter the time period, the shorter the decay intervals will get.
You can play around with the numbers, but that's why we chose something
low like 2 hours instead of setting a 24 hour period or something similar.

The database file is actually in your exim spool directory in files
called "db/ratelimits.*". You can simply delete the database
completely and it will recreate a blank one if you needed to restore
access instantly. In our environment, though, the 8 to 10 minute
delay wasn't a problem.

We've found that most of the bad auth attempts we receive are simply
clients who have canceled accounts but have forgotten to de-configure
their mail client.

--
Dean Brooks
dean@???