Re: [exim] Drop smtp connection before authentication

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MTorsten at <-
MTorsten at ->
Delete this message
Reply to this message
Author: Dean Brooks
Date:  
To: exim-users
Subject: Re: [exim] Drop smtp connection before authentication
On Wed, Oct 28, 2009 at 10:27:24PM +0100, Torsten wrote:
> > How does it work? Essentially, when a connection ends, either the
> > check_quit or the check_notquit ACL is executed depending upon whether
> > it was a graceful disconnection or not. Either way, if it sees that
> > authentication failed in any way, it increments the "badauth" counter
> > that is keyed to the sender's IP address.
> >
> > When a new connection comes in, it checks the counter (without updating it)
> > to see if the limit has been hit within the BADAUTH_LIMIT timeframe.
>
> Just to verify that I understood it right. When you define the
> "BADAUTH_LIMIT = 15 / 2h", 15 bad logins within 2 hours are accepted
> from one IP address. When will the client be able to start a new
> authentication again?

Exim's ratelimits decay smoothly over time. In the above example, any
rolling 2-hour window will allow 15 connection failures. Or, thinking
of it another way, every 8 minutes or so a new connection attempt will
be allowed in this example.

Also, keep in mind that this ratelimit limits the number of
connections, not attempts. There can be multiple failure attempts per
connection, up to the smtp_accept_max_nonmail setting in your config file.

--
Dean Brooks
dean@???

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Envelope-To after Alias RedirectRe: [exim] Testing Exim 4.70 prerelease->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)