Another way to deal with compromises is to IP-restrict the user accounts so they can only login from where they are supposed to login from. If ALL of your users "belong" to the same country - for example i fits a company-internal email server, I would suggest set auth_advertise_hosts to a list of CIDR ranges that your country, or even better, your company, uses.
If different users belong to different countries, for example if you run a webhosting company, I would suggest putting the country that was used to either register the account, or the country who did issue the credit card that was used to pay for the webhosting, in a database. Then in the authenticator, you verify that the users geoIP country for the IP he is logging in from, does match the country in the database. Theres different solutions for this, the most "ugly" hackish solution is to append the country to the password before hashing, and upon login, append the users geoIP country to the password before hashing. Other solutions involve custom authenticators that also validate the country as part of authentication. If the user then login from a "incorrect" country, the password will come out as invalid, even if he specifies a correct password. -----Ursprungligt meddelande----- Från: Exim-users <[email protected]> För Heiko Schlittermann via Exim-users Skickat: den 25 september 2019 11:31 Till: [email protected] Ämne: Re: [exim] New compromise...? Mark Elkins via Exim-users <[email protected]> (Mi 25 Sep 2019 03:47:41 EDT): > However - from my viewpoint, the Username used in the authentication > "[email protected]" should be the same as the "From".. i.e. <= > [email protected]. > Is there a neat way to drop emails when the "From" is not the same as the > PLAIN authenticated name? Yes In the authenticator use server_set_id = either by just setting $auth1 or $auth2 (depending on the auth mechanism, for PLAIN $auth2, for LOGIN $auth1). Or use the authenticated ID ($auth…) (Or use $authN for a lookup, e.g. to map it to sender addresses) Note, the authenticated id will appear in the outgoing message. In MAIL ACL (or later) you can block messages from authenticated users if authenticated ID does not match the sender address, or you can ratelimit on the authenticated ID MAIL ACL deny message = sorry, sender must match user name authenticated = * !sender_address = $authenticated_id or count the distinct recipients per user, allow a burst (so 100/1d isn't the same as 50/12h) RCPT ACL deny message = sorry, too many distinct recipients authenticated = * ratelimit = 100/1d / per_addr / $authenticated_id Not tested, not verified against the spec, may contain typos or other errors. But you should get the idea. Best regards from Atlanta/GA Viele Grüße aus Atlanta/USA Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
