Best way here is to add your users primary country to the auth_advertise_hosts list. Could be quite a IP list, but you can store it in a file if you want, by using a lookup condition.
Then if they travel to a non-approved country, they have to be without mail or be approved by you as administrator.
I don't know how many primary countries your users have, but could guess you only have a few. Which limits the attack surface, since only attacks from same country as the users will be go through.
-----Ursprungligt meddelande-----
Från: Slavko via Exim-users <exim-users@???>
Skickat: den 24 juni 2022 08:19
Till: 'Mailing List' <exim-users@???>
Ämne: Re: [exim] Closing off Port to non-SSL traffic
Dňa 23. júna 2022 22:15:48 UTC používateľ Sebastian Nielsen via Exim-users <exim-users@???> napísal:
>I solved that with:
>auth_advertise_hosts = 192.168.0.0/16 : 127.0.0.1 : ::::1
This helps only for single user MTA, my real users connects even from multiple countries...
>2022-06-10 23:50:20 SMTP protocol error in "AUTH LOGIN" H=(User)
>[45.85.190.59] AUTH command used when not advertised
That is pretty simple, just add this IP to firewall's DROP. To automatize its banning, use fail2ban. But be aware, that they will often try from other IP soon. I have 100 - 800 different IPs per day, most of them has only one attempt allowed here, it is some thousands of IPs in last
24 days (maximum ipset timeout) from whole word.
I am happy, that i long time ago decided to separate MX & MSA roles even for my small email system, which allow me simple reject "EHLO User" (and other strict rules) on MX port's 25, which are common on MSA.
regards
Slavko
--
## List details at
https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/