Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

Drop smtp connection before authentication

  

 
First page Previous page 1 2 Next page Last page  View All exim users RSS feed   Index | Next | Previous | View Threaded


caref at proxy

Jul 20, 2009, 6:12 AM

Post #1 of 29 (3221 views)
Permalink
Drop smtp connection before authentication
Hi,

Is it possible to drop smtp connection before authentication per username?

My server is congested with many attempts to authenticate with a deleted
account.

Thanks,


Edison


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users-20081202 at djce

Jul 20, 2009, 7:33 AM

Post #2 of 29 (3127 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Mon, Jul 20, 2009 at 10:12:29AM -0300, Edison F Carbol wrote:
> Hi,
>
> Is it possible to drop smtp connection before authentication per username?
>
> My server is congested with many attempts to authenticate with a deleted
> account.

Sorry, I don't really understand your question.

You can probably drop the connection wherever you want to - Exim is pretty
flexible - but presumably you want to drop only /some/ connections, not all of
them. What criteria do you intend to use to distinguish between the two? At
what phase of the SMTP transaction would you like the connection to be
dropped?

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey
Attachments: signature.asc (0.18 KB)


exim at fiber

Jul 20, 2009, 9:51 AM

Post #3 of 29 (3134 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
Den 2009-07-20 3:12, Edison F Carbol skrev:
> Hi,
>
> Is it possible to drop smtp connection before authentication per username?
> My server is congested with many attempts to authenticate with a deleted
> account.

Hi
i guess you could drop in HELO stage, based on a textfile of ip
addresses, like
deny condition =
${lookup{$sender_host_address}lsearch{banedip.txt}{yes}{no}}
and a cronjob to grep all bad ip's
grep "authenticator failed for.*" /var/log/exim4/mainlog -o | uniq -c |
grep "^\ *[0-9]\{2,4\} " | grep
"[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" -o > banedip.txt
(above baning ip where failed auth attempts >9)
on my system i grep a few other logfiles aswell, but i add the ip's this
script find to drop list in iptables, (less cputime used)

also on my system i have just now added
warn log_message = Possible hacked useraccount $authenticated_id
authenticated = *
sender_domains = !+local_domains

due to some (new?) virus/malware stealing my useres login.
so heads up

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


caref at proxy

Jul 20, 2009, 10:05 AM

Post #4 of 29 (3134 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
Hi Dave,

My server is under a kind of attack. Lot of connections are trying to
authenticate with the same username that doesnŽt exist.

IŽd like to drop all connections from a specific username before smtp
authentication or any layer above.

Is it possible to get the username at acl_smtp_auth?

Thanks,


Edison


> Hi,
>
> Is it possible to drop smtp connection before authentication per username?
>
> My server is congested with many attempts to authenticate with a deleted
> account.

Sorry, I don't really understand your question.

You can probably drop the connection wherever you want to - Exim is pretty
flexible - but presumably you want to drop only /some/ connections, not all
of
them. What criteria do you intend to use to distinguish between the two?
At
what phase of the SMTP transaction would you like the connection to be
dropped?

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


peter at bowyer

Jul 20, 2009, 10:12 AM

Post #5 of 29 (3130 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
2009/7/20 Edison F Carbol <caref [at] proxy>:

> IŽd like to drop all connections from a specific username before smtp
> authentication or any layer above.

Your challenge, then, is to know what username a connection is going
to authenticate with before it does so. Make sure your Exim is
compiled with

CRYSTAL_BALL=1

Peter

--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users-20081202 at djce

Jul 20, 2009, 10:17 AM

Post #6 of 29 (3133 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Mon, Jul 20, 2009 at 02:05:45PM -0300, Edison F Carbol wrote:
> My server is under a kind of attack. Lot of connections are trying to
> authenticate with the same username that doesnŽt exist.
>
> IŽd like to drop all connections from a specific username before smtp
> authentication or any layer above.
>
> Is it possible to get the username at acl_smtp_auth?

When you say "from a specific username", do you mean the SMTP AUTH username?
In general, you can't drop connections "from a username" without first
allowing the AUTH to proceed, so you know what the username is.

If your server is handling the load just fine anyway, I'd say do nothing. The
unwanted traffic will probably subside soon enough.

If it's *not* handling the load just fine, then the only suggestion I can
offer is to see if the same IPs are "attacking" again and again, and if they
are (and those IPs are *only* "attacking", they're not also performing
legitimate transactions), then block the offending IP addresses; either at
your firewall, or in acl_smtp_connect.

(acl_smtp_connect is probably easier to implement and could even be automated;
but each attacking connection still uses a non-negligible amount of server
resource).

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey
Attachments: signature.asc (0.18 KB)


caref at proxy

Jul 20, 2009, 10:39 AM

Post #7 of 29 (3130 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
Dave,

This is what IŽm doing now.

The first time this username try to authenticate, I get his IP at smtp auth
and then block it at acl_smtp_auth.

Thank you for your help.


Edison


> My server is under a kind of attack. Lot of connections are trying to
> authenticate with the same username that doesnŽt exist.
>
> IŽd like to drop all connections from a specific username before smtp
> authentication or any layer above.
>
> Is it possible to get the username at acl_smtp_auth?

When you say "from a specific username", do you mean the SMTP AUTH username?
In general, you can't drop connections "from a username" without first
allowing the AUTH to proceed, so you know what the username is.

If your server is handling the load just fine anyway, I'd say do nothing.
The
unwanted traffic will probably subside soon enough.

If it's *not* handling the load just fine, then the only suggestion I can
offer is to see if the same IPs are "attacking" again and again, and if they
are (and those IPs are *only* "attacking", they're not also performing
legitimate transactions), then block the offending IP addresses; either at
your firewall, or in acl_smtp_connect.

(acl_smtp_connect is probably easier to implement and could even be
automated;
but each attacking connection still uses a non-negligible amount of server
resource).


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Jul 20, 2009, 11:57 AM

Post #8 of 29 (3130 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Mon, Jul 20, 2009 at 10:12:29AM -0300, Edison F Carbol wrote:
> Is it possible to drop smtp connection before authentication per username?
>
> My server is congested with many attempts to authenticate with a deleted
> account.

Here's what we use to automatically control failed authentication attempts.
If you have this in place, your server will automatically begin rejecting
hosts that send repeated auth failure attempts.

You can change the BADAUTH_LIMIT macro to any rate you like, but we use
15 failed attempts in 2 hours as the threshold.

In the global config section of your config:

BADAUTH_LIMIT = 15 / 2h

acl_smtp_connect = check_connection
acl_smtp_quit = check_quit
acl_smtp_notquit = check_notquit

In the ACL section of your config:

check_connection:
drop message = Too many failed authentication attempts
ratelimit = BADAUTH_LIMIT / noupdate / badauth:$sender_host_address

check_quit:
accept condition = ${if eq{$authentication_failed}{1}}
ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

check_notquit:
accept condition = ${if eq{$authentication_failed}{1}}
ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

We need the rate limiting portion in BOTH the "quit" and "notquit" sections
for this to work properly, as you don't know how the connection will
end up closing.

You also don't want to put the ratelimiting in the RCPT or DATA section,
because the connection will never get that far (they haven't authenticated!).
You can't put it in the MAIL section either because, again, they haven't
authenticated.

Thought someone else might find this useful. Rate limits are fun. :)

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

Jul 20, 2009, 7:15 PM

Post #9 of 29 (3117 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
Edison F Carbol wrote:
> Hi,
>
> Is it possible to drop smtp connection before authentication per username?
>
> My server is congested with many attempts to authenticate with a deleted
> account.
>
> Thanks,
>
>
> Edison
>
>

Easily.

However .....

unless those unwanted attempts have characteristics, such as arriving from the
same IP, wherein no other active account might also exist, (old/new,
husband/wife) or at least from the same 'pool' of IP, such as a
dynamically-assigned 'connectivity' ISP user community, wherein you have
*neither* a valid user, *nor* a potential 'proper' correspondent MTA

-- in which case you can reject on source IP or source CIDR range either in
Exim's 'connect' phase or just a bit later, (or even in a firewall ahead of Exim...)


-- in any other case, you will have to do enough 'qualifying' to prevent harm to
other arrivals...

...that you might just as well let the authorization fail.

You could be saving the 'cost' of setting-up an encrypted session and doing some
form of DB lookup to fail the auth so it IS worth the attempt.

Personally, I'd be tempted to divert the connection and sort of tarpit it,
and/or allow a POP/IMAP read connection and pop a 'no longer active' notice into
his 'Mailbox' (or known forwarding address) each time he makes an attempt to
auth onto Exim for sending.

That might motivate the former user to change the MUA settings that are trying
to automagically log in to the dead account.

HTH,

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


tlyons at ivenue

Jul 21, 2009, 6:05 PM

Post #10 of 29 (3112 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Mon, Jul 20, 2009 at 11:57 AM, Dean Brooks<dean [at] iglou> wrote:
> You can change the BADAUTH_LIMIT macro to any rate you like, but we use
> 15 failed attempts in 2 hours as the threshold.

In the event that a user gets blocked, how do you expediently handle
the case where tech support helps a user fix the password and then
retries to send. What do you do to puge the db file that holds this
info? Is it actually in a hints database? Or is it all in memory at
this point?

--
Regards... Todd

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Jul 22, 2009, 4:56 AM

Post #11 of 29 (3105 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Tue, Jul 21, 2009 at 06:05:18PM -0700, Todd Lyons wrote:
> On Mon, Jul 20, 2009 at 11:57 AM, Dean Brooks<dean [at] iglou> wrote:
> > You can change the BADAUTH_LIMIT macro to any rate you like, but we use
> > 15 failed attempts in 2 hours as the threshold.
>
> In the event that a user gets blocked, how do you expediently handle
> the case where tech support helps a user fix the password and then
> retries to send. What do you do to puge the db file that holds this
> info? Is it actually in a hints database? Or is it all in memory at
> this point?

The ratelimits are using the "leaky" recording method, which is the
default type of rate limiting unless "strict" is otherwise specified.
So, even if they send 1,000 bad auth attempts, the database will only
have recorded 15 attempts (in 2 hours).

Because the recorded count decays constantly and linearly over the
time period, a "slot" would open up every 8 minutes (120 min / 15
attempts). In the few cases where we've had a customer call, we've
just told customer to wait up to 10 minutes before trying again.

The shorter the time period, the shorter the decay intervals will get.
You can play around with the numbers, but that's why we chose something
low like 2 hours instead of setting a 24 hour period or something similar.

The database file is actually in your exim spool directory in files
called "db/ratelimits.*". You can simply delete the database
completely and it will recreate a blank one if you needed to restore
access instantly. In our environment, though, the 8 to 10 minute
delay wasn't a problem.

We've found that most of the bad auth attempts we receive are simply
clients who have canceled accounts but have forgotten to de-configure
their mail client.

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


t.baer at dokom

Oct 27, 2009, 12:21 PM

Post #12 of 29 (2521 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
Hi Dean,

this sounds really good.
Could you please describe how this works? for example: after 15 failures the
client ist blocked for 2 hours.
If you don`t mind, a sample configuration file would be really helpful.
Thank you very much.

Regards
Torsten


Dean Brooks wrote:
>
> Here's what we use to automatically control failed authentication
> attempts.
> If you have this in place, your server will automatically begin rejecting
> hosts that send repeated auth failure attempts.
>
> You can change the BADAUTH_LIMIT macro to any rate you like, but we use
> 15 failed attempts in 2 hours as the threshold.
>
> In the global config section of your config:
>
> BADAUTH_LIMIT = 15 / 2h
>
> acl_smtp_connect = check_connection
> acl_smtp_quit = check_quit
> acl_smtp_notquit = check_notquit
>
> In the ACL section of your config:
>
> check_connection:
> drop message = Too many failed authentication attempts
> ratelimit = BADAUTH_LIMIT / noupdate /
> badauth:$sender_host_address
>
> check_quit:
> accept condition = ${if eq{$authentication_failed}{1}}
> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address
>
> check_notquit:
> accept condition = ${if eq{$authentication_failed}{1}}
> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address
>
> We need the rate limiting portion in BOTH the "quit" and "notquit"
> sections
> for this to work properly, as you don't know how the connection will
> end up closing.
>
> You also don't want to put the ratelimiting in the RCPT or DATA section,
> because the connection will never get that far (they haven't
> authenticated!).
> You can't put it in the MAIL section either because, again, they haven't
> authenticated.
>
> Thought someone else might find this useful. Rate limits are fun. :)
>
> --
> Dean Brooks
> dean [at] iglou
>

--
View this message in context: http://www.nabble.com/Drop-smtp-connection-before-authentication-tp24569739p26083523.html
Sent from the Exim Users mailing list archive at Nabble.com.


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at lists

Oct 28, 2009, 6:00 AM

Post #13 of 29 (2517 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
> Dean Brooks wrote:
>> Here's what we use to automatically control failed authentication
>> attempts.
>> If you have this in place, your server will automatically begin rejecting
>> hosts that send repeated auth failure attempts.
>>
>> You can change the BADAUTH_LIMIT macro to any rate you like, but we use
>> 15 failed attempts in 2 hours as the threshold.
>>
>> In the global config section of your config:
>>
>> BADAUTH_LIMIT = 15 / 2h
>>
>> acl_smtp_connect = check_connection
>> acl_smtp_quit = check_quit
>> acl_smtp_notquit = check_notquit
>>
>> In the ACL section of your config:
>>
>> check_connection:
>> drop message = Too many failed authentication attempts
>> ratelimit = BADAUTH_LIMIT / noupdate /
>> badauth:$sender_host_address
>>
>> check_quit:
>> accept condition = ${if eq{$authentication_failed}{1}}
>> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address
>>
>> check_notquit:
>> accept condition = ${if eq{$authentication_failed}{1}}
>> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address
>>
>> We need the rate limiting portion in BOTH the "quit" and "notquit"
>> sections
>> for this to work properly, as you don't know how the connection will
>> end up closing.
>>
>> You also don't want to put the ratelimiting in the RCPT or DATA section,
>> because the connection will never get that far (they haven't
>> authenticated!).
>> You can't put it in the MAIL section either because, again, they haven't
>> authenticated.
>>
>> Thought someone else might find this useful. Rate limits are fun. :)

If a client makes a single connection to your SMTP server then makes a
million attempts to authenticate using different credentials each time,
wouldn't that only increment the ratelimit value by 1 as it only
increments the value on Exit... Eg, in the following example I make
three different authentication failures but only quit once:

EHLO example.com
250-haven.grepular.com Hello haven.grepular.com [92.48.122.147]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH LOGIN PLAIN
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
Zm9v
334 UGFzc3dvcmQ6
Zm9v
535 Incorrect authentication data
AUTH LOGIN
334 VXNlcm5hbWU6
YmFy
334 UGFzc3dvcmQ6
YmFy
535 Incorrect authentication data
AUTH LOGIN
334 VXNlcm5hbWU6
ZXhpbQ==
334 UGFzc3dvcmQ6
ZXhpbQ==
535 Incorrect authentication data
quit
221 haven.grepular.com closing connection

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Oct 28, 2009, 7:20 AM

Post #14 of 29 (2518 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Wed, Oct 28, 2009 at 01:00:42PM +0000, Mike Cardwell wrote:
> > Dean Brooks wrote:
> >> Here's what we use to automatically control failed authentication
> >> attempts.
>
> If a client makes a single connection to your SMTP server then makes a
> million attempts to authenticate using different credentials each time,
> wouldn't that only increment the ratelimit value by 1 as it only
> increments the value on Exit... Eg, in the following example I make
> three different authentication failures but only quit once:

Took me a few minutes to remember why this wasn't a problem and finally
remembered.

A failed auth attempt counts as a "non-mail" command and increments
the counter against the global "smtp_accept_max_nonmail" setting.
It defaults to 10 but we have it set to "3" on our system:

smtp_accept_max_nonmail = 3

So, essentially, they can at most execute 3 attempts per connection
and a maximum of 15 connection failures using the ratelimits.
Essentially up to 45 failed auth attempts.

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Oct 28, 2009, 7:25 AM

Post #15 of 29 (2521 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Tue, Oct 27, 2009 at 12:21:13PM -0700, Totty wrote:
> Could you please describe how this works? for example: after 15 failures the
> client ist blocked for 2 hours.
> If you don`t mind, a sample configuration file would be really helpful.

Well, the configuration is listed in its entirety below actually. Just
copy/paste each particular portion into the specified section.

Note that I added the following line into the global section below:

smtp_accept_max_nonmail = 5

That will limit the number of failed auth attempts per connection and
the BADAUTH_LIMIT macro sets the number of connections that can fail
due to failed auth.

How does it work? Essentially, when a connection ends, either the
check_quit or the check_notquit ACL is executed depending upon whether
it was a graceful disconnection or not. Either way, if it sees that
authentication failed in any way, it increments the "badauth" counter
that is keyed to the sender's IP address.

When a new connection comes in, it checks the counter (without updating it)
to see if the limit has been hit within the BADAUTH_LIMIT timeframe.

Here is the original config items:

> In the global config section of your config:
>
> BADAUTH_LIMIT = 15 / 2h
>
> acl_smtp_connect = check_connection
> acl_smtp_quit = check_quit
> acl_smtp_notquit = check_notquit
> smtp_accept_max_nonmail = 5
>
> In the ACL section of your config:
>
> check_connection:
> drop message = Too many failed authentication attempts
> ratelimit = BADAUTH_LIMIT / noupdate /
> badauth:$sender_host_address
>
> check_quit:
> accept condition = ${if eq{$authentication_failed}{1}}
> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address
>
> check_notquit:
> accept condition = ${if eq{$authentication_failed}{1}}
> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


t.baer at dokom

Oct 28, 2009, 2:12 PM

Post #16 of 29 (2515 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
Hi Dean,

this sounds really good.
Could you please describe how this works? for example: after 15 failures
the client ist blocked for 2 hours.
If you don`t mind, a sample configuration file would be really helpful.
Thank you very much.

Regards
Torsten


Dean Brooks wrote:
> Here's what we use to automatically control failed authentication
> attempts.
> If you have this in place, your server will automatically begin rejecting
> hosts that send repeated auth failure attempts.
>
> You can change the BADAUTH_LIMIT macro to any rate you like, but we use
> 15 failed attempts in 2 hours as the threshold.
>
> In the global config section of your config:
>
> BADAUTH_LIMIT = 15 / 2h
>
> acl_smtp_connect = check_connection
> acl_smtp_quit = check_quit
> acl_smtp_notquit = check_notquit
>
> In the ACL section of your config:
>
> check_connection:
> drop message = Too many failed authentication attempts
> ratelimit = BADAUTH_LIMIT / noupdate /
> badauth:$sender_host_address
>
> check_quit:
> accept condition = ${if eq{$authentication_failed}{1}}
> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address
>
> check_notquit:
> accept condition = ${if eq{$authentication_failed}{1}}
> ratelimit = BADAUTH_LIMIT / badauth:$sender_host_address
>
> We need the rate limiting portion in BOTH the "quit" and "notquit"
> sections
> for this to work properly, as you don't know how the connection will
> end up closing.
>
> You also don't want to put the ratelimiting in the RCPT or DATA section,
> because the connection will never get that far (they haven't
> authenticated!).
> You can't put it in the MAIL section either because, again, they haven't
> authenticated.
>
> Thought someone else might find this useful. Rate limits are fun. :)
>
> --
> Dean Brooks
> dean [at] iglou
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


t.baer at dokom

Oct 28, 2009, 2:27 PM

Post #17 of 29 (2514 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
Thanks, Dean.
Just to verify that I understood it right. When you define the
"BADAUTH_LIMIT = 15 / 2h", 15 bad logins within 2 hours are accepted
from one IP address. When will the client be able to start a new
authentication again?

Thanks
Torsten
> Well, the configuration is listed in its entirety below actually. Just
> copy/paste each particular portion into the specified section.
>
> Note that I added the following line into the global section below:
>
> smtp_accept_max_nonmail = 5
>
> That will limit the number of failed auth attempts per connection and
> the BADAUTH_LIMIT macro sets the number of connections that can fail
> due to failed auth.
>
> How does it work? Essentially, when a connection ends, either the
> check_quit or the check_notquit ACL is executed depending upon whether
> it was a graceful disconnection or not. Either way, if it sees that
> authentication failed in any way, it increments the "badauth" counter
> that is keyed to the sender's IP address.
>
> When a new connection comes in, it checks the counter (without updating it)
> to see if the limit has been hit within the BADAUTH_LIMIT timeframe.
>
>
> --
> Dean Brooks
> dean [at] iglou
>
>


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Oct 29, 2009, 7:30 AM

Post #18 of 29 (2509 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Wed, Oct 28, 2009 at 10:27:24PM +0100, Torsten wrote:
> > How does it work? Essentially, when a connection ends, either the
> > check_quit or the check_notquit ACL is executed depending upon whether
> > it was a graceful disconnection or not. Either way, if it sees that
> > authentication failed in any way, it increments the "badauth" counter
> > that is keyed to the sender's IP address.
> >
> > When a new connection comes in, it checks the counter (without updating it)
> > to see if the limit has been hit within the BADAUTH_LIMIT timeframe.
>
> Just to verify that I understood it right. When you define the
> "BADAUTH_LIMIT = 15 / 2h", 15 bad logins within 2 hours are accepted
> from one IP address. When will the client be able to start a new
> authentication again?

Exim's ratelimits decay smoothly over time. In the above example, any
rolling 2-hour window will allow 15 connection failures. Or, thinking
of it another way, every 8 minutes or so a new connection attempt will
be allowed in this example.

Also, keep in mind that this ratelimit limits the number of
connections, not attempts. There can be multiple failure attempts per
connection, up to the smtp_accept_max_nonmail setting in your config file.

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


t.baer at dokom

Oct 29, 2009, 12:27 PM

Post #19 of 29 (2494 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
Hi Dean,

thanks for your explanation.
What Exim version do you use? On my Exim 4.63 I got this error: main
option "acl_smtp_notquit" unknown
I can`t find the acl "acl_smtp_notquit" in the Exim specs.

Thanks
Torsten
> Exim's ratelimits decay smoothly over time. In the above example, any
> rolling 2-hour window will allow 15 connection failures. Or, thinking
> of it another way, every 8 minutes or so a new connection attempt will
> be allowed in this example.
>
> Also, keep in mind that this ratelimit limits the number of
> connections, not attempts. There can be multiple failure attempts per
> connection, up to the smtp_accept_max_nonmail setting in your config file.
>
> --
> Dean Brooks
> dean [at] iglou


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dean at iglou

Oct 29, 2009, 12:42 PM

Post #20 of 29 (2507 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Thu, Oct 29, 2009 at 08:27:50PM +0100, Torsten wrote:
> What Exim version do you use? On my Exim 4.63 I got this error: main
> option "acl_smtp_notquit" unknown
> I can`t find the acl "acl_smtp_notquit" in the Exim specs.

This was added in 4.68. You are running quite an old version of Exim
it appears.

--
Dean Brooks
dean [at] iglou

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


t.baer at dokom

Oct 29, 2009, 1:24 PM

Post #21 of 29 (2494 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
> This was added in 4.68. You are running quite an old version of Exim
> it appears.
>
> --
> Dean Brooks
> dean [at] iglou
O.k. I`m wondering why the Exim specs aren`t updated.
Thanks Dean.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


peter at bowyer

Oct 30, 2009, 1:45 AM

Post #22 of 29 (2493 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
2009/10/29 Torsten <t.baer [at] dokom>:
>
>> This was added in 4.68.  You are running quite an old version of Exim
>> it appears.
>>
>> --
>> Dean Brooks
>> dean [at] iglou
> O.k. I`m wondering why the Exim specs aren`t updated.

They are. 4.67 and 4.68 both had a new release of documentation.
Smaller releases (such as 4.69) rely on a changelog. All of which
(right back to Exim v 1.9x) are available on www.exim.org and the
up-to-date versions were included in your Exim tarball, assuming they
weren't removed by a packager.

Peter

--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


nigel.metheringham at dev

Oct 30, 2009, 2:40 AM

Post #23 of 29 (2494 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On 30 Oct 2009, at 08:45, Peter Bowyer wrote:
> They are. 4.67 and 4.68 both had a new release of documentation.
> Smaller releases (such as 4.69) rely on a changelog. All of which
> (right back to Exim v 1.9x) are available on www.exim.org and the
> up-to-date versions were included in your Exim tarball, assuming they
> weren't removed by a packager.

4.69 did have regenerated documentation, although some idiot (the one
writing this) managed to regenerate it without changing the version
number.

Nigel.
--
[ Nigel Metheringham Nigel.Metheringham [at] InTechnology ]
[. - Comments in this message are my own and not ITO opinion/policy - ]


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


peter at bowyer

Oct 30, 2009, 2:48 AM

Post #24 of 29 (2494 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
2009/10/30 Nigel Metheringham <nigel.metheringham [at] dev>:
>
> On 30 Oct 2009, at 08:45, Peter Bowyer wrote:
>> They are. 4.67 and 4.68 both had a new release of documentation.
>> Smaller releases (such as 4.69) rely on a changelog. All of which
>> (right back to Exim v 1.9x) are available on www.exim.org and the
>> up-to-date versions were included in your Exim tarball, assuming they
>> weren't removed by a packager.
>
> 4.69 did have regenerated documentation, although some idiot (the one
> writing this) managed to regenerate it without changing the version
> number.

You can't get the staff, can you.....



--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


eximX0902w at linuxwan

Oct 30, 2009, 4:00 AM

Post #25 of 29 (2491 views)
Permalink
Re: Drop smtp connection before authentication [In reply to]
On Fri, 2009-10-30 at 09:48 +0000, Peter Bowyer wrote:
> You can't get the staff, can you.....

Leave my hero alone :P

I have been incredibly pleased to see how many patches and bug fixes
Nigel and others have gone through in the last few weeks.

If only I still had the time to throw at email as I used to - I thank
those who do and continue to do so.

--
The Exim manual - http://docs.exim.org


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

First page Previous page 1 2 Next page Last page  View All exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.