--On Wednesday, October 07, 2015 11:13 PM +0000 Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:

Mind you, if they log in the mean time, and don't send any mail,
the connection is timed out.  If they do try to send mail, the
transaction is refused.  When the error limit is exceeded the
connection is closed.

So the exposure is not so bad even without dropping the connection,
but dropping may better, if the MUA of the unfortunate user handles
this in an acceptable way (not much worse than what you get by
refusing messages and not closing).

Ok.  What I want to avoid is this:

User account is compromised
Spammer creates a persistent connection to send out spam
Admin adds compromised user to the SASL map
Admin contacts user, has them change their password
Admin removes user from the SASL map
Compromised connection is still open to postfix, and spam continues until postfix is restarted, and the spammer can no longer auth because the password was changed.

I see this fairly frequently with our customers, where they don't understand why simply having the user change their password doesn't stop the spammer from being able to send out email, because postfix "logs" an auth for every one of the emails sent out over the persistent connection, even thought they actually only have auth'd when initially opening the connection.

--Quanah



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Reply via email to