Loading ...
Sorry, an error occurred while loading the content.

Re: Solution to SMTPAuth compromised accounts.

Expand Messages
  • José Borges Ferreira
    ... On top of that, please consider use postfwd for rate limit. José Borges Ferreira
    Message 1 of 7 , Sep 13, 2013
    • 0 Attachment
      On 09/13/2013 08:47 AM, lst_hoe02@... wrote:
      > A workaround might be to force a mismatch with smtpd_sender_login_maps
      > by removing the MAIL FROM --> Login-ID match in the table, no? But
      > this only applies if reject_sender_login_mismatch could/should be used
      > of course.
      On top of that, please consider use postfwd for rate limit.

      José Borges Ferreira
    • Wietse Venema
      ... Built-in message rate limit: /etc/postfix/main.cf: smtpd_client_message_rate_limit = 10 External rate limit: use postfwd and the like. Wietse
      Message 2 of 7 , Sep 13, 2013
      • 0 Attachment
        Viktor Dukhovni:
        > > Can we add something similar to the "smtpd_client_restrictions" or
        > > "smtpd_recipient_restrictions", and adding a new rule-entry which
        > > would simply confirm that the "SMTPAuth LDAP 'user' used way back,
        > > is still accountStatus=enabled" ?

        Built-in message rate limit:

        /etc/postfix/main.cf:
        smtpd_client_message_rate_limit = 10

        External rate limit: use postfwd and the like.

        Wietse
      • /dev/rob0
        ... +1, a check_sasl_auth_access feature would be useful, despite the fact that other approaches can accomplish the same thing, as noted upthread by numerous
        Message 3 of 7 , Sep 13, 2013
        • 0 Attachment
          On Fri, Sep 13, 2013 at 04:29:28AM +0000, Viktor Dukhovni wrote:
          > Sadly Postfix does not have an access table keyed by the SASL
          > login name. Perhaps we should bite the bullet, and add one,

          +1, a check_sasl_auth_access feature would be useful, despite the
          fact that other approaches can accomplish the same thing, as noted
          upthread by numerous posters.

          > after defining a suitable encoding for any usernames that
          > contain special or whitespace characters.

          Fortunately SASL usernames are typically something under site
          administrators' control, so a partial solution might be to warn
          against using special or whitespace characters in usernames. :)
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        Your message has been successfully submitted and would be delivered to recipients shortly.