I've recently inherited an old posfix server and I'm having a fair bit of trouble with phising and compromised user accounts. I'm looking to rebuild the whole system in the near future but migrating thousands of mailboxes is a task that can't be done overnight.
I've hacked together a couple scripts that check login IPs and lock user accounts that log in from distant locations in 24 hours (ie. .th, .ru and .us) within 24 hours. However, I have SMTP sending sessions that last 4 or 5 days after the initial login, so even if the password is changed or locked, I still have to find the IPs and block at the firewall to stop the sending of SPAM and force a reauth. I'm currently working on getting policyd rate limiting, and outbound spam filtering put together, hopefully by the end of the week, but in the mean time I'm hoping there is a way to limit sending auth sessions to a time limit to help stop the bleeding. Maybe this is a saslauthd question, not a postfix question, but any pointers or links would be welcome. Thanks, -- Pete
