Autor: Dean Brooks Datum: To: exim-users Betreff: Re: [exim] Drop smtp connection before authentication
On Wed, Oct 28, 2009 at 10:27:24PM +0100, Torsten wrote: > > How does it work? Essentially, when a connection ends, either the
> > check_quit or the check_notquit ACL is executed depending upon whether
> > it was a graceful disconnection or not. Either way, if it sees that
> > authentication failed in any way, it increments the "badauth" counter
> > that is keyed to the sender's IP address.
> >
> > When a new connection comes in, it checks the counter (without updating it)
> > to see if the limit has been hit within the BADAUTH_LIMIT timeframe.
>
> Just to verify that I understood it right. When you define the
> "BADAUTH_LIMIT = 15 / 2h", 15 bad logins within 2 hours are accepted
> from one IP address. When will the client be able to start a new
> authentication again?
Exim's ratelimits decay smoothly over time. In the above example, any
rolling 2-hour window will allow 15 connection failures. Or, thinking
of it another way, every 8 minutes or so a new connection attempt will
be allowed in this example.
Also, keep in mind that this ratelimit limits the number of
connections, not attempts. There can be multiple failure attempts per
connection, up to the smtp_accept_max_nonmail setting in your config file.