> On Nov 22, 2017, at 9:31 AM, Vegard Svanberg <veg...@svanberg.no> wrote: > > The same scenario occurs if a botnet has set up multiple connections, > but the server is laggy or whatever so they've authenticated, but > haven't gotten to the "DATA" part of the SMTP dialogue yet (BTW: some > spambots appear to exhibit speculative behaviour here - as if they do > this on purpose). > > So... what's the recommended approach here? > > Is there an easy way to tear down specific (by a particular user) > connections?
In front of permit_sasl_authenticated, use: http://www.postfix.org/postconf.5.html#check_sasl_access main.cf: # Default, just don't set it to "no" # smtpd_delay_reject = yes sqlorldap = ...:${config_directory}/ # Postfix 2.10 or later smtpd_relay_restrictions = check_sasl_access ${sqlorldap}compromised.cf, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination compromised.cf: # Define a table that returns "REJECT 5.7.1 Compromised login account" # when the lookup key matches a compromise SASL login name. ... The table needs to be SQL or LDAP as indexed file tables are only reloaded between connections, not in the middle of a connection. The most lightweight table for this is perhaps sqlite, it should support concurrent reads by Postfix across writes by some management tool, but I've not tried this. You're probably better off with Postgres, MySQL or LDAP. -- Viktor.
