Am 24.08.2014 um 21:11 schrieb Wietse Venema:
> CSS:
>>>> If your relay restrictions look like:
>>>>
>>>> main.cf:
>>>> indexed = ${default_database_type}:${config_directory}/
>>>> smtpd_relay_restrictions =
>>>> check_sasl_access ${indexed}sasl-access,
>>>> permit_sasl_authenticated,
>>>> permit_mynetworks,
>>>> reject_unauth_destination
>>>>
>>>> (before any user account is compromised), then once an account
>>>> is hijacked:
>>>>
>>>> sasl-access:
>>>> lu...@example.com REJECT 5.7.1 Your login is compromised.
>>>
>>> This is a particularly good solution as it allows the user to continue
>>> receiving email so that you can send them them a message explaining
>>> exactly what the problem is.
>>
>> And I assume this can be sql-backed, correct? So it should be easy
>> to build a web-based tool for staff to nuke/un-nuke account once the
>> issue has been addressed.
>
> Correct. To estimate the SQL query load, there will be one query
> per "RCPT TO" command
how does that work with "smtpd_sasl_type = dovecot" because in
case of a failed SASL logins you have random crap in the maillog
but not the username?
warning: 1-171-63-28.dynamic.hinet.net[1.171.63.28]: SASL LOGIN authentication
failed: UGFzc3dvcmQ6
warning: chello062178066223.23.11.tuwien.teleweb.at[62.178.66.223]: SASL
CRAM-MD5 authentication failed:
PDAyNzA5ODU4MzIwNTE0MTkuMTQwODkwMzMyMEBtYWlsLnRoZWxvdW5nZS5uZXQ+
so if the above feature works why postfix don't log the username at all?
