On 10/2/13 10:32 AM, Viktor Dukhovni wrote:
On Wed, Oct 02, 2013 at 10:17:16AM -0500, List wrote:
We are currently using dovecot for smtp auth, and due to an increase
in spammers abusing smtp auth we setup dovecot to return an invalid
login for user's that have been set to "disabled" in our
provisioning system. This seemed to work for a while (preventing
spammers that are using auth), but we are finding that a number of
spammers are somehow keeping their smtp connection open after we
have "disabled" smtp auth and continuing to send messages even
though the authentication should be failing. We are not sure why
this is the behavior or even what we should be looking for to
determine how they are circumventing the authentication.
The full story is in your logs. Find a message sent by a disabled
user after the account was disabled. Find the associated stmpd(8)
connect and disconnect log entries. If a single connection continues
to generate messages long after the account is disabled, then indeed
your description is correct.
Regardless of whether you've disabled an account or not, you should
probably use a policy service that limits the message rate from a
a given SASL user account (returning a 421 error code when the rate
is exceeded). The policy service can also check whether the account
has been disabled. This check will not be cached (unlike the SASL
login status of the SMTP connection).
Indeed, we are actually writing a policy service now to deal with rate
limits and blacklisting/whitelisting SASL. One thing I noticed in the
documentation regarding smtpd_recipient_restrictions (under " Dangerous
use of smtpd_recipient_restrictions") is that recipient restrictions can
result in too permissive access. I wonder if moving the
check_client_access and permit_sasl_authenticated below
reject_unauth_destination would help?
smtpd_recipient_restrictions =
#### Permit networks defined in /etc/postfix/mynetworks
permit_mynetworks
reject_unauth_destination
#### POP/IMAP before SMTP
check_client_access mysql:/etc/postfix/authb4smtp.cf
check_client_access cidr:/etc/postfix/access
#### Permit SASL authenticated
permit_sasl_authenticated
Also I understand that smtp_client_restrictions is the first to be
evaluated, would it make sense to move the permit_sasl_authenticated
into this access restriction or not so much?
