[exim] Rate limiting and TOTP - was Re: Looking for an exam…

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: Sebastian Nielsen
CC: exim-users
Old-Topics: Re: [exim] Looking for an example
Subject: [exim] Rate limiting and TOTP - was Re: Looking for an example
On Wed, 1 Jul 2020, Sebastian Nielsen via Exim-users wrote:

> Its just that such systems you describe only prevents further damage when
> the damage is already done. It could be enough with like a few spam messages
> to get blacklisted. So even if you ratelimit to like 10 messages per day,
> you still risk ending up on blacklist if some account is compromised.


For low volume systems, yes that could be true.

> The best way as I said is to enforce sign in limits.
> Limit account to GeoIP,
> limit account to ISP.
> Require TOTP to reset IP limits.
> Use TOTP for webmail login.
> Only allow limitless logins from campus IPs.


    ...    ...


> TOTP is the easiest way to secure an account, but don't work over
> SMTP/IMAP, instead it can only be used in webmail, thats why you
> need to use some IP limitation for SMTP/IMAP where a TOTP login to
> the webmail also authorizes the source IP to access SMTP/IMAP for
> the user in question.


(X)OAUTH2 uses short-term, but not one-time, passwords.
Microsoft and Gmail seem to be using these successfully
with SMTP/POP/IMAP. Would this be an acceptable alternative ?

(Exim doesn't currently support (X)OAUTH2 and experience with
alpine/fetchmail/mutt/thunderbird suggests that client-side support is
needed for each host domain, so I am not clear that this is a feasible
suggestion.)

-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???