Re: [exim] drop connection on auth failure

Página Inicial
Delete this message
Reply to this message
Autor: Andrew C Aitchison
Data:  
Para: Julian Bradfield
CC: exim-users
Assunto: Re: [exim] drop connection on auth failure
On Fri, 15 Jul 2022, Julian Bradfield via Exim-users wrote:

> I should like exim to drop the connection on a client AUTH failure.
> (Because as soon it's seen in the log, fail2ban will DROP the client IP,
> and so the exim process will hang around until the SMTP session times
> out.)


I haven't used fail2ban with exim, but are you sure that that is the
problem ? In my experience, fail2ban only stops *new* sessions.
Ah. but I have something close to Evgeniy's conntrack rule:
> Nevetheless, if you want to keep active connections unblocked, you may
> insert before fail2ban's rules your own rule, which allows packets for
> established connection to be passed. Example for Linux:
>
> iptables -I INPUT 1 -p tcp -m multiport --destination-ports 25,465,587 \
>          -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT



If fail2ban does terminate the current session, then I am not sure that
exim can drop the connection without specific intent.
A legitimate client could give an incorrect password*, so exim should
normally allow at least one AUTH failure gracefully.
This would include waiting for an ack from the client.
If fail2ban has DROPped the current session, then exim will never
receive the ack, so will indeed wait for the session to timeout.

* Without a password database or manager, a MUA will ask the user
for the passwd at least once each session and we all make typos from time
to time.

> However, I can't see a way to do this. Am I missing something in the
> docs?


I don't think so.

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???