Re: [exim] Drop smtp connection before authentication

Top Page
Delete this message
Reply to this message
Author: Exim Mailing List
Date:  
To: Totty
CC: exim-users
Subject: Re: [exim] Drop smtp connection before authentication
On Tue, Oct 27, 2009 at 12:21:13PM -0700, Totty wrote:
> Could you please describe how this works? for example: after 15 failures the
> client ist blocked for 2 hours.
> If you don`t mind, a sample configuration file would be really helpful.


Well, the configuration is listed in its entirety below actually. Just
copy/paste each particular portion into the specified section.

Note that I added the following line into the global section below:

smtp_accept_max_nonmail = 5

That will limit the number of failed auth attempts per connection and
the BADAUTH_LIMIT macro sets the number of connections that can fail
due to failed auth.

How does it work? Essentially, when a connection ends, either the
check_quit or the check_notquit ACL is executed depending upon whether
it was a graceful disconnection or not. Either way, if it sees that
authentication failed in any way, it increments the "badauth" counter
that is keyed to the sender's IP address.

When a new connection comes in, it checks the counter (without updating it)
to see if the limit has been hit within the BADAUTH_LIMIT timeframe.

Here is the original config items:

> In the global config section of your config:
>
>     BADAUTH_LIMIT = 15 / 2h

>
>     acl_smtp_connect = check_connection
>     acl_smtp_quit = check_quit
>     acl_smtp_notquit = check_notquit
>     smtp_accept_max_nonmail = 5

>
> In the ACL section of your config:
>
>     check_connection:
>         drop message   = Too many failed authentication attempts
>              ratelimit = BADAUTH_LIMIT / noupdate /
>  badauth:$sender_host_address

>
>     check_quit:
>         accept condition = ${if eq{$authentication_failed}{1}}
>                ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

>
>     check_notquit:
>         accept condition = ${if eq{$authentication_failed}{1}}
>                ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address


--
Dean Brooks
dean@???