On Wed, 1 Jul 2020, Sebastian Nielsen via Exim-users wrote:
> Its just that such systems you describe only prevents further damage when
> the damage is already done. It could be enough with like a few spam messages
> to get blacklisted. So even if you ratelimit to like 10 messages per day,
> you still risk ending up on blacklist if some account is compromised.
For low volume systems, yes that could be true.
> The best way as I said is to enforce sign in limits.
> Limit account to GeoIP,
> limit account to ISP.
> Require TOTP to reset IP limits.
> Use TOTP for webmail login.
> Only allow limitless logins from campus IPs.
... ...
> TOTP is the easiest way to secure an account, but don't work over
> SMTP/IMAP, instead it can only be used in webmail, thats why you
> need to use some IP limitation for SMTP/IMAP where a TOTP login to
> the webmail also authorizes the source IP to access SMTP/IMAP for
> the user in question.
(X)OAUTH2 uses short-term, but not one-time, passwords.
Microsoft and Gmail seem to be using these successfully
with SMTP/POP/IMAP. Would this be an acceptable alternative ?
(Exim doesn't currently support (X)OAUTH2 and experience with
alpine/fetchmail/mutt/thunderbird suggests that client-side support is
needed for each host domain, so I am not clear that this is a feasible
suggestion.)
--
Andrew C. Aitchison Kendal, UK
andrew@???
