Loading ...
Sorry, an error occurred while loading the content.

295767Re: Postfix counters (was: limit and monitor too many sasl login from same user)

Expand Messages
  • Viktor Dukhovni
    Oct 5, 2013
      On Sat, Oct 05, 2013 at 05:55:49PM -0400, Wietse Venema wrote:

      > > > Either the use of per "login name" counters
      > > > should be restricted to "known" logins,
      > >
      > > This is for free, there is no such thing as an "unknown login".
      >
      > Not true when "per login name" counters are updated regardless of
      > whether the login exists, for example as part of a defense against
      > brute-force account guessing attacks such as described above.

      With SASL we don't know what the login name is unless authentication
      succeeds. The user name encoding is mechanism specific (with GSSAPI
      it is in the ticket!). Does the SASL API expose a user name for
      failed logins?

      > Did you have more ideas about shared-memory counter in memcache?

      I have not given any thought to anything in this space that is not
      SASL. My conjecture is that SASL is special.

      The basic control for submission clients (be it by client address,
      or by successful client login) is to substantially limit the
      connection concurrency and rate from any given whitelisted IP or
      any authorized account, and then to set a maximum submission message
      rate per single connection. After that promptly close down any
      access that is abused.

      Don't use POP before SMTP, it is way past its prime.

      --
      Viktor.
    • Show all 13 messages in this topic