On Sat, Oct 05, 2013 at 05:55:49PM -0400, Wietse Venema wrote:
> > > Either the use of per "login name" counters
> > > should be restricted to "known" logins,
> >
> > This is for free, there is no such thing as an "unknown login".
>
> Not true when "per login name" counters are updated regardless of
> whether the login exists, for example as part of a defense against
> brute-force account guessing attacks such as described above.
With SASL we don't know what the login name is unless authentication
succeeds. The user name encoding is mechanism specific (with GSSAPI
it is in the ticket!). Does the SASL API expose a user name for
failed logins?
> Did you have more ideas about shared-memory counter in memcache?
I have not given any thought to anything in this space that is not
SASL. My conjecture is that SASL is special.
The basic control for submission clients (be it by client address,
or by successful client login) is to substantially limit the
connection concurrency and rate from any given whitelisted IP or
any authorized account, and then to set a maximum submission message
rate per single connection. After that promptly close down any
access that is abused.
Don't use POP before SMTP, it is way past its prime.
--
Viktor.
