CSS:
> >> If your relay restrictions look like:
> >>
> >> main.cf:
> >> indexed = ${default_database_type}:${config_directory}/
> >> smtpd_relay_restrictions =
> >> check_sasl_access ${indexed}sasl-access,
> >> permit_sasl_authenticated,
> >> permit_mynetworks,
> >> reject_unauth_destination
> >>
> >> (before any user account is compromised), then once an account
> >> is hijacked:
> >>
> >> sasl-access:
> >> lu...@example.com REJECT 5.7.1 Your login is compromised.
> >
> > This is a particularly good solution as it allows the user to continue
> > receiving email so that you can send them them a message explaining
> > exactly what the problem is.
>
> And I assume this can be sql-backed, correct? So it should be easy
> to build a web-based tool for staff to nuke/un-nuke account once the
> issue has been addressed.
Correct. To estimate the SQL query load, there will be one query
per "RCPT TO" command.
Wietse
