Hello list!
Is there a way to prevent postfix from offering SASL auth (and that
includes
denying open relaying) to clients based on DNS RBL lookups? I've discovered
the option smtpd_sasl_exceptions_networks which allows to do that by adding
static subnet entries or adding a hash map.
The idea goes like this:
* SASL auth is not offered -> no way to relay mail
* based on a DNS-RBL that lists ASs with known bad behavior
* based on a DNS-RBL that lists IPs which are known to run compromised
servers
I imagined a configuration like this:
smtpd_sasl_exceptions_networks =
reject_rbl_client z.mailspike.net=127.0.0.2
reject_rbl_client dnsbl-3.uceprotect.net
Apart from this maybe being a bad idea, it would open the possibility to
react to distributed brute force attacks and compromised passwords if an
appropriate DNS BL could be offered by someone.
Currently, I'd like to try out the idea but I'm not sure if the above
configuration accepts passing in DNS BLs. Any suggestions?
What could be the consequences of this? I'm interested in reading more
ideas. Maybe there's already another approach to successfully prevent bots
from using compromised mail user accounts?
I outlined the same question here:
http://serverfault.com/questions/602327/postfix-offer-sasl-authentication-based-on-rbl
--
Replies to list only preferred.
