* Wietse Venema <wie...@porcupine.org> [2014-05-27T17:48:03] > Ricardo Signes: > > a. one IP, the same username, many different passwords > > d. one IP, the same username, the same (wrong) password repeatedly > > I suppose that one would log a password hhas, just to be sure.
Yes, something like a truncated hash of the password salted with something changed frequently and never stored. <hand wave> It only needs to detect close-in-time "same password" with very low false positives. > It is not practical to implement every SASL protocol in Postfix. > Also, the more secure SASL protocols don't send a fixed password, > instead they use challenge-response. In that case there is no way > to find out whether you are looking at (a.) or (d.). Indeed. Fortunately (?) for me, I don't need to worry about that at this point. > Postfix could log the base64 blobs that the client sends. Yes, I think that, as you suggest, this leads to a scary place. > The general solution requires support in the authentication back-end, > be it Dovecot or the SASL library. I see now that libsasl v2's sasl_server_new takes a string in the form "ipaddr:port" and that postfix's smtpd_sasl_activate seems to pass along the actual remote client IP. (Please tell me if I've grossly misread; I am not familiar with Postfix's source.) As long as we don't put an SMTP proxy in the way, this suggests to me that I can probably do something *fairly* simple with libsasl to get all the relevant data in one place. I see a horrible, useful hack in my future. Thanks for your help. -- rjbs
signature.asc
Description: Digital signature
