On 16 Feb 2012, at 20:42, Jeremy Harris wrote:
> On 2012-02-16 16:23, Ralph Ballier wrote:
>> But we have some hundred user. What can I do against such abuse, if somebody loose username and password? Is it possible to limit the number of mails from one unser per minute or so?
>
> Search for "ratelimit" in the manual. Include the authenticated-id in the ratelimit spec.
Yes, we have 11,000 users, and use rate limiting. You first must try to make your users aware of the phishing problem and encourage good password hygiene. There are some great posters available at
http://www.itd.umich.edu/posters/
Then you need to provide a good mailing list facility, so that you can isolate legitimate bulk mailings.
Finally, separate your MX and MSA properly. We advertise different domain names, supplied on different (virtual) IP addresses, so that we can maintain completely different configurations.
For authenticated users, who are not on local machines, we rate limit at a few hundred messages per day, with something like this in an ACL:
ratelimit = 200 / 1d / per_rcpt / strict / web-lim-$sender_address
Actually, this is one of several ACLs, and this is for our webmail users. It says, there's a limit of 200 recipients per day for each sender address. We don't permit sender address spoofing on our webmail service. For normal clients we do permit spoofing, and we use the authenticated-id (off-lim-$authenticated_id) as the key.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148