[EMAIL PROTECTED] wrote: > Hi, > > Does following look reasonable? The "2" is because of > http://www.exim.org/lurker/message/20031019.140442.419ec907.en.html > > acl_check_auth: > drop message = authentication is allowed only once per message in order \ > to slow down bruteforce cracking > condition = ${if def:acl_m_auth} > condition = ${if >{$acl_m_auth}{2}} > delay = 20s > > warn condition = ${if !def:acl_m_auth} > set acl_m_auth = 0 > > accept set acl_m_auth = ${eval:$acl_m_auth+1} > >
Not relevant to the acl snippet, but w/r 'brute force' auth cracking attempts in general: - have you first insured that your own client submission requires auth and that auth cannot be done on port 25, but rather only on port 587? - are you forcing (at least) TLS-only on port 587, with no fallback to unencrypted? If so, and you *still* see significant attacks, (tcpdump?) then: - are they from random sources? - or are they perhaps a directed attack from a small lot of IP's that you could fully or partially block with firewall rules? We take a further step (CAVEAT - flames may follow) and run the older SSL-only protocol once implemented on port 465, but on port 587 instead. Most MUA are easily set to SSL-only and port 587, even though not the default. Result - no significant attempts to break-in. Near-as-dammit zero. Which - aside from not iritating Exim, reduces bandwidth consumption. HTH, Bill -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
