On Wed, Oct 28, 2009 at 01:00:42PM +0000, Mike Cardwell wrote: > > Dean Brooks wrote: > >> Here's what we use to automatically control failed authentication > >> attempts. > > If a client makes a single connection to your SMTP server then makes a > million attempts to authenticate using different credentials each time, > wouldn't that only increment the ratelimit value by 1 as it only > increments the value on Exit... Eg, in the following example I make > three different authentication failures but only quit once:
Took me a few minutes to remember why this wasn't a problem and finally remembered. A failed auth attempt counts as a "non-mail" command and increments the counter against the global "smtp_accept_max_nonmail" setting. It defaults to 10 but we have it set to "3" on our system: smtp_accept_max_nonmail = 3 So, essentially, they can at most execute 3 attempts per connection and a maximum of 15 connection failures using the ratelimits. Essentially up to 45 failed auth attempts. -- Dean Brooks [email protected] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
