On 27/10/10 02:21, Cassidy Larson wrote: > This got me wondering if there's any easy way to have anvil report > stats based on the authenticated SASL username, in addition to the > remote IP address? > > This would help me prevent/monitor potential addresses that are being > used by a botnet system to relay mails through my mail server. > >
I use a utility run from cron to parse the sasl username from the postfix logs. It keeps track of how many logins and ips in a given timeframe. It can block abused accounts (either via updating a postfix access file or via a mysql query if user accounts are kept in mysql) based on exceeding limit on number of logins or limit on number of different ips per unique login I have put it in sourceforge: http://sourceforge.net/projects/checkauthlog/ While not a real time solution (like a policy daemon or the introduction of a new parameter in postfix for rate limiting sasl logins) it can be run frequently from cron making the window of abuse small. I wrote it for my own use, it may be of use for others, feedback on it is welcome. John
