Re: [exim] Drop smtp connection before authentication

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim-users
Subject: Re: [exim] Drop smtp connection before authentication
> Dean Brooks wrote:
>> Here's what we use to automatically control failed authentication
>> attempts.
>> If you have this in place, your server will automatically begin rejecting
>> hosts that send repeated auth failure attempts.
>>
>> You can change the BADAUTH_LIMIT macro to any rate you like, but we use
>> 15 failed attempts in 2 hours as the threshold.
>>
>> In the global config section of your config:
>>
>>    BADAUTH_LIMIT = 15 / 2h

>>
>>    acl_smtp_connect = check_connection
>>    acl_smtp_quit = check_quit
>>    acl_smtp_notquit = check_notquit

>>
>> In the ACL section of your config:
>>
>>    check_connection:
>>        drop message   = Too many failed authentication attempts
>>             ratelimit = BADAUTH_LIMIT / noupdate /
>> badauth:$sender_host_address

>>
>>    check_quit:
>>        accept condition = ${if eq{$authentication_failed}{1}}
>>               ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

>>
>>    check_notquit:
>>        accept condition = ${if eq{$authentication_failed}{1}}
>>               ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

>>
>> We need the rate limiting portion in BOTH the "quit" and "notquit"
>> sections
>> for this to work properly, as you don't know how the connection will
>> end up closing.
>>
>> You also don't want to put the ratelimiting in the RCPT or DATA section,
>> because the connection will never get that far (they haven't
>> authenticated!).
>> You can't put it in the MAIL section either because, again, they haven't
>> authenticated.
>>
>> Thought someone else might find this useful. Rate limits are fun. :)


If a client makes a single connection to your SMTP server then makes a
million attempts to authenticate using different credentials each time,
wouldn't that only increment the ratelimit value by 1 as it only
increments the value on Exit... Eg, in the following example I make
three different authentication failures but only quit once:

EHLO example.com
250-haven.grepular.com Hello haven.grepular.com [92.48.122.147]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH LOGIN PLAIN
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
Zm9v
334 UGFzc3dvcmQ6
Zm9v
535 Incorrect authentication data
AUTH LOGIN
334 VXNlcm5hbWU6
YmFy
334 UGFzc3dvcmQ6
YmFy
535 Incorrect authentication data
AUTH LOGIN
334 VXNlcm5hbWU6
ZXhpbQ==
334 UGFzc3dvcmQ6
ZXhpbQ==
535 Incorrect authentication data
quit
221 haven.grepular.com closing connection

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/