On Tue, Oct 27, 2009 at 12:21:13PM -0700, Totty wrote:
> Could you please describe how this works? for example: after 15 failures the
> client ist blocked for 2 hours.
> If you don`t mind, a sample configuration file would be really helpful.
Well, the configuration is listed in its entirety below actually. Just
copy/paste each particular portion into the specified section.
Note that I added the following line into the global section below:
smtp_accept_max_nonmail = 5
That will limit the number of failed auth attempts per connection and
the BADAUTH_LIMIT macro sets the number of connections that can fail
due to failed auth.
How does it work? Essentially, when a connection ends, either the
check_quit or the check_notquit ACL is executed depending upon whether
it was a graceful disconnection or not. Either way, if it sees that
authentication failed in any way, it increments the "badauth" counter
that is keyed to the sender's IP address.
When a new connection comes in, it checks the counter (without updating it)
to see if the limit has been hit within the BADAUTH_LIMIT timeframe.
Here is the original config items:
> In the global config section of your config:
>
> BADAUTH_LIMIT = 15 / 2h
>
> acl_smtp_connect = check_connection
> acl_smtp_quit = check_quit
> acl_smtp_notquit = check_notquit
> smtp_accept_max_nonmail = 5
>
> In the ACL section of your config:
>
> check_connection:
> drop message = Too many failed authentication attempts
> ratelimit = BADAUTH_LIMIT / noupdate /
> badauth:$sender_host_address
>
> check_quit:
> accept condition = ${if eq{$authentication_failed}{1}}
> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address
>
> check_notquit:
> accept condition = ${if eq{$authentication_failed}{1}}
> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address
--
Dean Brooks
dean@???
