[exim] Kick user - force disconnect authenticated sessions

Top Page
This message is part of the following thread:
M---++-+-\the complete thread tree sorted by date
M-+\MM.M\M 
M\MM.M\MMMarcin Gryszkalis at ->
Delete this message
Reply to this message
Author: Marcin Gryszkalis
Date:  
To: exim-users
Subject: [exim] Kick user - force disconnect authenticated sessions
Hi
I wonder if it's possible to disconnect all active sessions for given
authenticated user.

It would be used to close sessions used by accounts stolen by spammers.After
detecting unusual rate of mails from one account I lock it in database, freeze
all suspiciousmails in queue, send alert to postmasterand close all imap/pop3
sessions (with `doveadm kick user@`) - I'd like to close all SMTP sessions as
well (and do it quick!) but I don't know how to find them. Unfortunately
process_info log (like viewed by exiwhat) doesn't include authentication info.

Possible soultions that came to my mind (not really useful):
1. Extending set_process_info() calls but I'm afraid this could break some
scriptsusing exiwhat. Patch maintenance could be painful too...
2. Killing all exim processes (not acceptable for largerserverswith hundrets
of active sessions)
3. Parsing log files to find sessions (doesn't work because PIDs are not
logged for smtp child processes)
4. Parsing log files and blocking IPs on local firewall (parsing is i/o
hungry, long blacklist overhead on firewall, blacklist cleanup not so easy,
possible false positives including original account owner)

Can you advise different/better approach?

best regards

--
Marcin Gryszkalis, PGP 0x9F183FA3
jabber jid:mg@???, gg:2532994


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Exim4 | Modify headersRe: [exim] keep a local copy of all outbound emails, but only for this sender domain->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)