Today a user's account was compromised (likely phished) and their credentials used to send email over our main outbound SMTP with TLS and SASL auth.
When we learned of it, the PAM smtp configuration was set up to block the user account authenticating and the account was soon disabled. In the meantime, thousands of spam had gone out, as it happened before we get to work. Are there any suggestions on how to tune postfix to limit the spam throughput? There are also legitimate users who have bulk email to send, so limiting by recipient quantity (as we do on our webmail) wouldn't be desirable. I've seen http://www.postfix.org/TUNING_README.html and we are now using: smtpd_client_connection_count_limit = 2 smtpd_client_connection_rate_limit = 10 smtpd_client_event_limit_exceptions = 127.0.0.0/8, xxx.xxx.xxx.xxx/21 smtpd_client_message_rate_limit = 10 smtpd_client_new_tls_session_rate_limit = 10 smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes anvil_rate_time_unit = 60s anvil_status_update_time = 600s Most of the client limits had previously been at 50 or 60. The exceptions line includes our servers subnet. I'd like some idea of what real world values would be useful, or additional suggestions on how to make the performance less attractive to users of compromised accounts. I know spammers refuse to send through our webmail (another dedicated SMTP server for that) as they won't put up with a limit of 10 recipients. --Donald
