On Wed, 1 Jul 2020, Sebastian Nielsen via Exim-users wrote:
Its just that such systems you describe only prevents further damage when the damage is already done. It could be enough with like a few spam messages to get blacklisted. So even if you ratelimit to like 10 messages per day, you still risk ending up on blacklist if some account is compromised.
For low volume systems, yes that could be true.
The best way as I said is to enforce sign in limits. Limit account to GeoIP, limit account to ISP. Require TOTP to reset IP limits. Use TOTP for webmail login. Only allow limitless logins from campus IPs.
... ...
TOTP is the easiest way to secure an account, but don't work over SMTP/IMAP, instead it can only be used in webmail, thats why you need to use some IP limitation for SMTP/IMAP where a TOTP login to the webmail also authorizes the source IP to access SMTP/IMAP for the user in question.
(X)OAUTH2 uses short-term, but not one-time, passwords. Microsoft and Gmail seem to be using these successfully with SMTP/POP/IMAP. Would this be an acceptable alternative ? (Exim doesn't currently support (X)OAUTH2 and experience with alpine/fetchmail/mutt/thunderbird suggests that client-side support is needed for each host domain, so I am not clear that this is a feasible suggestion.) -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/