This depends on how the accounts are compromised. First of, you should enforce so the MAIL FROM is locked to their account, eg they cannot use another MAIL FROM than they are authorized to use.
Second, it then depends on how the accounts are compromised. You say "their local desktop using the submission service". Are you sure of that? Eg, the IP in the logs indicate that? The reason I ask, is that its more common that malicious software steals the credentials and sends it elsewhere. If the accounts are simply "stolen" by malicious software and then used by spammers at other locations of the world, I would suggest using GeoIP restrictions to lock the account to the country/ISP where the user first logged on to. If your users/customers are limited to one country (for example, if you only sell services inside a certain country), you can also lock access to the submission server alltogheter using GeoIP. (Travelling users then need to pre-apply at your customers service desk to enable account for temporary travel). However, if the accounts are compromised by the malicious software actually sending email through the local user's computer, then its not much you can do. You could use something that restricts account to like 25 messages a day, and if that limit is reached, account is blocked until the user goes to the webmail and, lets say, enter a one-time code sent via SMS to the user's phone. I Do not know any "out of the box" software that can do this, I think you have to write a own soiftware that counts outgoing messages per user, a CRON script that resets the day counters each 00:00, and if any account reach 25 messages, its disabled in the system. And then some webservice where the user can reset the block with a one-time code. -----Ursprungligt meddelande----- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Alex Skickat: den 6 december 2016 02:52 Till: postfix users list <postfix-users@postfix.org> Ämne: Stopping compromised accounts Hi, I have a postfix-3.0.5 system with a few hundred users. They have access to submission, webmail, and dovecot to send and receive mail. On occasion, user's local desktop are compromised, and with it their account on this system. This leads to their local desktop using the submission service to send hundreds or thousands of spam emails through this compromised account. They're only stopped after the user receives a ton of bounce messages, or we happen to see it somehow while watching logs. What mechanisms are available to say, control the number of messages sent per day or otherwise be made aware of a pattern of messages being sent by an account that could be indicative of account compromise? Thanks, Alex
smime.p7s
Description: S/MIME Cryptographic Signature
