Dňa 12. mája 2023 11:56:18 UTC používateľ Jeremy Harris via Exim-users <exim-users@lists.exim.org> napísal:
>The _max option is there to cap the load imposed on the system; >a DDOS is possible whether you have that cap or not (though a >DOS become easier if you limit to lower than the ultimate >system capability). It's not related to authentication, >really, unless your system *only* handles MSA work. I understad (i hope) that already. The DDoS i mean is not load based, as connection limit will happen early. Most of load on that host happens on email delivery (dovecot's full text search indexing). I talk about DDoS based on connections count by keeping open these pontless failed logins attemts. Defaults are 20 concurent connections and 5min timeout, that limit can be easy reached with 1 conn per 15 sec, keeping it open for that timeout. If one has botnet with 1000 IPs it can keep all server's connections up for more than 4 hours without repeating from the same IP. Or in other words, it can connect from one IP only once per ~4 hours and keep connections busy for long time, not allowing to connect from real hosts... And that repeating rate will remain unnoticed by many IDS/IPS... Or am i wrong? If we can prevent that timeout, the IP count or repeating rate must be much higher to achieve the same result. DDoS still possible, but less simple and better to detect... Currently i have concurent connections under 5 all time, as attacker mostly waits to get response and then try from another IP after small pause. I have some delays too, but they are conditional, if connections cross 25% of limit, the delays drops to 0s, but that is really rare. >One might imagine a per-port cap... but the implementation >feels problematic at first glance; you really don't want to >be doing an expensive expansion in the daemon loop. No, that is not what i need. That host does MSA for public access and MDA for my MX. The host_reserve (and so) are enough for me yet. The MX (MTA) is on another host... Beside the fact that i have public access to ports separated, it is more simple to maintain ACLs (and others) for me. >If your authenticator has an expansion which determines this >policy condition, what happens if you use an acl expansion >component which does a "drop"? I've not tried this; no >idea if if functions. Do you mean the server_condition option? AFAIK it will not work with dovecot autentificator, as it is consulted only after success authentification. Or do you mean something else? I know, that recently was added auth failed event, but it is not in my version (4.94) yet, and i am not sure if it will help with drop connection, as it is not documented in current docs yet. Anyway, i do not know if exim gets some extra info from dovecot autentificator, which one can parse. I do not know if dovecot pass it... Know someone that? regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
