Re: [exim] Drop smtp connection before authentication

Top Page
Delete this message
Reply to this message
Author: Torsten
Date:  
To: Exim Mailing List
Subject: Re: [exim] Drop smtp connection before authentication
Thanks for your help, Dean.
This works really good!

Regards
Torsten
>> Well, the configuration is listed in its entirety below actually. Just
>> copy/paste each particular portion into the specified section.
>>
>> Note that I added the following line into the global section below:
>>
>>    smtp_accept_max_nonmail = 5

>>
>> That will limit the number of failed auth attempts per connection and
>> the BADAUTH_LIMIT macro sets the number of connections that can fail
>> due to failed auth.
>>
>> How does it work? Essentially, when a connection ends, either the
>> check_quit or the check_notquit ACL is executed depending upon whether
>> it was a graceful disconnection or not. Either way, if it sees that
>> authentication failed in any way, it increments the "badauth" counter
>> that is keyed to the sender's IP address.
>>
>> When a new connection comes in, it checks the counter (without updating it)
>> to see if the limit has been hit within the BADAUTH_LIMIT timeframe.
>>
>> Here is the original config items:
>>
>>
>> In the global config section of your config:
>>
>>     BADAUTH_LIMIT = 15 / 2h

>>
>>     acl_smtp_connect = check_connection
>>     acl_smtp_quit = check_quit
>>     acl_smtp_notquit = check_notquit
>>     smtp_accept_max_nonmail = 5

>>
>> In the ACL section of your config:
>>
>>     check_connection:
>>         drop message   = Too many failed authentication attempts
>>              ratelimit = BADAUTH_LIMIT / noupdate /
>>  badauth:$sender_host_address

>>
>>     check_quit:
>>         accept condition = ${if eq{$authentication_failed}{1}}
>>                ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

>>
>>     check_notquit:
>>         accept condition = ${if eq{$authentication_failed}{1}}
>>                ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

>>
>
> --
> Dean Brooks
> dean@???