Re: [exim] Kick user - force disconnect authenticated sessio…

Top Page
This message is part of the following thread:
M---++-+-\the complete thread tree sorted by date
M-+\MM.M\MMarcin Gryszkalis at <-
M\MM.M\MMMike Cardwell at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Marcin Gryszkalis
CC: exim-users
Subject: Re: [exim] Kick user - force disconnect authenticated sessions
On 2013-08-08 at 00:44 +0200, Marcin Gryszkalis wrote:
> It would be used to close sessions used by accounts stolen by spammers.After
> detecting unusual rate of mails from one account I lock it in database, freeze
> all suspiciousmails in queue, send alert to postmasterand close all imap/pop3
> sessions (with `doveadm kick user@`) - I'd like to close all SMTP sessions as
> well (and do it quick!) but I don't know how to find them. Unfortunately
> process_info log (like viewed by exiwhat) doesn't include authentication info.

log_selector = +pid +smtp_connection

Make sure that the authenticators use server_set_id to note the identity
of the client.

At this point, you only know about the authenticated users once they've
tried to send one email, but once they do, you have a log-line which
records with A=<authenticator>:$authenticated_id which user
authenticated to try to send the email (thus the need to use
server_set_id) and early in the log-line you have a [pid] field in
square brackets.

At that point, it's a grep/xargs problem, which you can script.
Something like this, untested, is the dangerous version: 

  #!/bin/sh
  ## HUGE CAVEAT: read below, danger using this on a busy system
  userid="${1:?need a user id}"
  shift
  if [ $# -lt 1 ]; then
    echo >&2 "$0: need at least one logfile"
    exit 1
  fi
  for logfile
  do
    pcregrep '\bA=[^:]+:'"${userid} " "$logfile" | \
       pcregrep -o '^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d \[\K\d+(?=\])'
  done | xargs -t kill -v


However, on a busy mail-server, pids get recycled and used again.

Thus the +smtp_connection in the log_selector: this will tell you when
connections are made and when they're lost (whether by EOF or QUIT).

So a better solution will use the regular expressions as the starting
point in a log-processing script which notes the pids but removes them
from the candidate list when a log-line shows that the connection closes
(that line will also have the pid on it: pid is *consistently* logged,
when in the selector) and end up with "pids which have seen mail
authenticated as this user and for which we have not seen a connection
close".

That'll take slightly longer to write, so is left as an exercise for the
reader. :)

-Phil

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Kick user - force disconnect authenticated sessionsRe: [exim] Kick user - force disconnect authenticated sessions->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)