On 03 Nov 2019, at 06:06, Wietse Venema <wie...@porcupine.org> wrote: > Wietse Venema: >> John Schmerold: >>> What is the best way to protect against dictionary attacks in Postfix? >> >> Reportedly, fail2ban (no first-hand experience, because I have no >> SASL clients). > > Also, Postfix can rate-limit auth commands, on the assumption that > good users don't make lots of repeated login attempts. > > Wietse > > htp://www.postfix.org/postconf.5.html#smtpd_client_auth_rate_limit > > smtpd_client_auth_rate_limit (default: 0) > The maximal number of AUTH commands that any client is allowed > to send to this service per time unit, regardless of whether > or not Postfix actually accepts those commands. The time unit > is specified with the anvil_rate_time_unit configuration > parameter.
That defaults to 60s so setting this to 3 would rate limit to three attempts per minute. That’s good to know. That might be useful, though I am not sure I am seeing very fast auth attempts. Still, it certainly can’t hurt.