Le 24/07/2012 08:37, Stan Hoeppner a écrit : > On 7/24/2012 12:44 AM, CSS wrote: >> >> On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote: >> >>> On 7/23/2012 4:16 PM, CSS wrote: >>> >>>> I'd like to take some measures to limit what an authenticated sender can >>>> do but not limit legitimate use. >>> >>> See: >>> http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit >>> >>> You would apply this to your submission service, eg: >>> >>> 587 inet n - n - - smtpd >>> -o smtpd_enforce_tls=yes >>> -o smtpd_sasl_auth_enable=yes >>> -o smtpd_client_connection_rate_limit=1 >>> >>> This limits spammers and legit users to 1 msg/min, 60 msgs per hour. >>> Postfix is not psychic. >>> >>> This may be a problem for roaming users who send batches of mails when >>> they get a connection--10 msgs takes 10 minutes. Thus, as with >>> anything, some analysis and [re]tuning will be required. If you trust >>> some users to never have their acct compromised, you can always create >>> multiple submission services on different ports and have different >>> limits for different sets of users, or even no limits for some. >>> >>> Not a perfect solution, but better than what you have now. > >> If I can cobble this thing together, the quota module offers things like >> messages per day or per hour, which is a fairly reasonable way to restrict >> customers. > > Apparently you didn't read the docs I provided. > http://www.postfix.org/postconf.5.html#anvil_rate_time_unit >
anvil is not an anti-spam solution. it's measure against "clients gone crazy". fighting outbound spam is a serious challenge. > [skip] > You'd think humans beings would be smart enough to follow directions and > use strong passwords, AV software, etc, and not fall for phishing scams. > Your adversary in this war isn't the spammers, it's not the technology, > but your users. oh come on! the "users" excuse is wa too old. if your software accepts weak passwords, then the problem is with the software, not the user. AV? oh no, I don't want any on my unix boxen. phising? well, it's far from being a simple thing. when OS, pki & browser vendors will ignore their business for the "happiness of the universe", things might get better in an Alice wonderfull world. do you really believe it? > > You should not be expending any more time/effort on the tech piece of > the solution beyond finding the most basic rate limiting tool and > enabling it to prevent spewage, right now. This is the smallest battle > in this war. > > The big battles are user education (AV software on their machines, safe > surfing habits, anti-phish education, etc), and wholesale forcing all > users to change to *enforced* strong passwords. I disagree. those who put the responsibility of their failure on others (call em users or whataver) should get another job. > > The user related stuff wins this war. The tech portion merely decreases > the amount of damage per clueless user battle. >
