On 12/05/2023 14:43, Slavko via Exim-users wrote:
> I understad (i hope) that already. The DDoS i mean is not
> load based, as connection limit will happen early.
and a botnet will be able to exceed that limit,
whether doing your auth thing or not.
But, whatever...
> Do you mean the server_condition option? AFAIK it will
> not work with dovecot autentificator, as it is consulted
> only after success authentification. Or do you mean
> something else?
>
> I know, that recently was added auth failed event, but it
> is not in my version (4.94) yet, and i am not sure if it will
> help with drop connection, as it is not documented in
> current docs yet.
Indeed, with the dovecot authenticator and that version of Exim
I don't think there's anything special you can do if you can't
fingerprint these connections in some way.
Your short setting for smtp_receive_timeout is probably the best
way (despite violating standards).
As a future-version possibility, I wonder if a settable TCP keepalive
would work. It depends on whether the attacker really has abandoned
the TCP connection, though this seems likely. Default values are in
the two hours region, so not immediately helpful.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/