Re: [exim] Exim4 ratelimiting

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Duane Hill
Datum:  
To: exim-users
Betreff: Re: [exim] Exim4 ratelimiting
On Friday, October 31, 2014, 6:20:33 PM, Joshua wrote:

> On Oct/31 08:12AM, Duane Hill wrote:
>>
>> On Thursday, October 30, 2014, 11:33:43 PM, Biju wrote:
>>
>> > Hi All,
>> >
>> > I am trying to ratelimit outgoing messages in my exim4 daemon. Many a times,
>> > our mail server has been hacked, multiple identity has been added and using
>> > those ids, hackers send out bulk spam mails. Once the limit is overcome,
>> > many domains are blacklisting us. As I understand from the manuals and
>> > searching the mailing lists, outgoing mails can not be ratelimited. Please
>> > correct me if I am wrong.
>> >
>> > What I am thinking is to rate limit using IP tables number of messages going
>> > out domain wise to some limit. I can only reject connections using IP
>> > tables. What I need is to defer the rejected connections. Where in the exim4
>> > do I do this? Is it in routers?
>> >
>> > I am sure many of you may have faced such issues. Please help with
>> > appropriate pointers.
>>
>> Doing a quick Google search (search terms: 'exim rate limit') turns up
>> a post to github from Lena on 'Blocking compromised accounts
>> (outgoing spam) and auth cracking'.
>>
>> https://github.com/Exim/exim/wiki/BlockCracking
>>
>> Perhaps you can use this or tailor it to your needs in accomplishing
>> your task.


> I'm no expert, but wouldn't the appropriate response be to learn to
> secure the server, rather than hacking on exim to solve this problem?


Sure. You are securing the server by using the Exim configuration to
rate limit local and virtual accounts. I use rate limits for
authenticated accounts based on, 1) authentications per time period,
2) number of recipients per authentication per time period, and 3)
bytes sent per authentication per time period. Everything is stored in
MySQL. The time period can be seconds, minutes, hours, days, weeks,
months. On bytes sent, it can be bytes, KB, MB, GB, TB.

As an example, in my acl_check_mail I rate limit authentication via:

  #       ---------------------------------------------------------------------------- - #
  #       Rate limit the number of times an account can authenticate.                - - #
  #       ---------------------------------------------------------------------------- - #


  warn    authenticated = *
          ratelimit     = 0/$acl_c_auth_tmpd/per_mail/strict/{$authenticated_id}_auth
          log_message   = Auth rate for ($authenticated_id): \
                          current:$sender_rate, period:$sender_rate_period, \
                          maximum:$acl_c_auth_limit.


  deny    message       = Your authentication rate per time period has \
                          been exceeded (current:$sender_rate, \
                          period:$sender_rate_period, maximum:$acl_c_auth_limit).
          authenticated = *
          ratelimit     = $acl_c_auth_limit/$acl_c_auth_tmpd/per_mail/strict/{$authenticated_id}_auth
          log_message   = Auth rate exceeded for ($authenticated_id): \
                          current:$sender_rate, period:$sender_rate_period, \
                          maximum:$acl_c_auth_limit.


--
Duane Hill
duihi77@???
"If at first you don't succeed, so much for sky diving."