Wietse Venema:
> > This got me wondering if there's any easy way to have anvil report
> > stats based on the authenticated SASL username, in addition to the
> > remote IP address?
>
> Not at the moment, but a policy daemon could notice that (too) many
> connections use the same sasl_username attribute value.
Unfortunately, this would require a non-trivial change, because
it requires a new type of counter that does not yet exist.
Currently, the anvil daemon maintains one counter for each (service
name, client IP address, event type) tuple within the anvil_rate_time_unit
time interval, for some subset of all possible event types.
For example the tuple (smtp, 192.168.1.2, connect) counts the
number of connections from address 192.168.1.2 to the default
SMTP port. The counters for STARTTLS, MAIL or RCPT commands
work in the same way. If a counter exceeds a limit, then then
Postfix SMTP server rejects the corresponding client command.
What you want requires that anvil maintains one counter for each
(service name, command type, command argument value) tuple within
the anvil_rate_time_unit time interval, for some subset of all
possible command types.
For example, the tuple (submission, AUTH, u...@example.com)
would count the number of SASL logins under the name u...@example.com
within the anvil_rate_time_unit time interval. The counters
for HELO command arguments, MAIL FROM addresses or RCPT TO
addresses would work in the same way. If a counter exceeds a
limit, then then Postfix SMTP server would reject the corresponding
client command (in the case of AUTH, this would cause the
authentication as u...@example.com to fail).
So it is not just adding another counter like the existing ones
for connect, STARTTLS, MAIL or RCPT commands, but a whole new family
of counters.
Wietse
