Autor: Marcin Gryszkalis Datum: To: exim-users Betreff: [exim] Kick user - force disconnect authenticated sessions
Hi
I wonder if it's possible to disconnect all active sessions for given
authenticated user.
It would be used to close sessions used by accounts stolen by spammers.After
detecting unusual rate of mails from one account I lock it in database, freeze
all suspiciousmails in queue, send alert to postmasterand close all imap/pop3
sessions (with `doveadm kick user@`) - I'd like to close all SMTP sessions as
well (and do it quick!) but I don't know how to find them. Unfortunately
process_info log (like viewed by exiwhat) doesn't include authentication info.
Possible soultions that came to my mind (not really useful):
1. Extending set_process_info() calls but I'm afraid this could break some
scriptsusing exiwhat. Patch maintenance could be painful too...
2. Killing all exim processes (not acceptable for largerserverswith hundrets
of active sessions)
3. Parsing log files to find sessions (doesn't work because PIDs are not
logged for smtp child processes)
4. Parsing log files and blocking IPs on local firewall (parsing is i/o
hungry, long blacklist overhead on firewall, blacklist cleanup not so easy,
possible false positives including original account owner)
Can you advise different/better approach?
best regards
--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg@???, gg:2532994