On Wed, 1 Jul 2020, Sebastian Nielsen via Exim-users wrote:
Its just that such systems you describe only prevents further damage when
the damage is already done. It could be enough with like a few spam messages
to get blacklisted. So even if you ratelimit to like 10 messages per day,
you still risk ending up on blacklist if some account is compromised.
For low volume systems, yes that could be true.
The best way as I said is to enforce sign in limits.
Limit account to GeoIP,
limit account to ISP.
Require TOTP to reset IP limits.
Use TOTP for webmail login.
Only allow limitless logins from campus IPs.
... ...
TOTP is the easiest way to secure an account, but don't work over
SMTP/IMAP, instead it can only be used in webmail, thats why you
need to use some IP limitation for SMTP/IMAP where a TOTP login to
the webmail also authorizes the source IP to access SMTP/IMAP for
the user in question.
(X)OAUTH2 uses short-term, but not one-time, passwords.
Microsoft and Gmail seem to be using these successfully
with SMTP/POP/IMAP. Would this be an acceptable alternative ?
(Exim doesn't currently support (X)OAUTH2 and experience with
alpine/fetchmail/mutt/thunderbird suggests that client-side support is
needed for each host domain, so I am not clear that this is a feasible
suggestion.)
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
