[exim] Re: smtp_accept_max & DDoS

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: [exim] Re: smtp_accept_max & DDoS
On 11/05/2023 18:28, Slavko via Exim-users wrote:
> By docs, the default smtp_accept_max is 20, i have set it higher
> value already, but that doesn't matter, as i see that attacker has
> many thousands IPs available. Thus i wonder, that it is able to reach
> that limit if it will want anytime, just by opening many connections
> and abandon them, thus effective run DDoS against MSA. I didn't
> meet that DDoS yet, but i wonder about it -- is my wondering
> real or am i too paranoid?


The _max option is there to cap the load imposed on the system;
a DDOS is possible whether you have that cap or not (though a
DOS become easier if you limit to lower than the ultimate
system capability). It's not related to authentication,
really, unless your system *only* handles MSA work.

One might imagine a per-port cap... but the implementation
feels problematic at first glance; you really don't want to
be doing an expensive expansion in the daemon loop.

> is here way to drop these policy
> blocked logins to prevent connection timeouts


If your authenticator has an expansion which determines this
policy condition, what happens if you use an acl expansion
component which does a "drop"? I've not tried this; no
idea if if functions.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/