On Wed, Oct 07, 2015 at 10:07:16PM +0000, Viktor Dukhovni wrote:
> On Wed, Oct 07, 2015 at 02:52:36PM -0700, Quanah Gibson-Mount wrote:
>
> > >What would help is putting the "check_sasl_access" table in SQL.
> > >
> > >>I should've stopped/restarted immediately...
> > >
> > >No, instead put your access table in SQL (possibly CDB would work
> > >too, but I'm not sure), that way you don't need reload or restart.
> >
> > So if they are in the SASL table, does it force close their connection? Just
> > want to be sure that if I implement this via an LDAP table, that the spammer
> > doesn't go on spamming once the user password is changed and the account is
> > unlocked.
>
> The "check_sasl_access" restriction consults an access(5) table
> and can return any supported access(5) result.
>
> In this case, it might make sense to go with:
>
> u...@example.com 521 5.7.1 Account disabled
>
> which drops the connection as documented.
Mind you, if they log in the mean time, and don't send any mail,
the connection is timed out. If they do try to send mail, the
transaction is refused. When the error limit is exceeded the
connection is closed.
So the exposure is not so bad even without dropping the connection,
but dropping may better, if the MUA of the unfortunate user handles
this in an acceptable way (not much worse than what you get by
refusing messages and not closing).
--
Viktor.
