From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 10:01:31 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 20CD623B6 for ; Sun, 24 Mar 2013 10:01:31 +0000 (UTC) (envelope-from LConrad@Go2France.com) Received: from VirusGate.MEIway.com (virusgate.meiway.com [81.255.84.76]) by mx1.freebsd.org (Postfix) with ESMTP id DDFEB15C for ; Sun, 24 Mar 2013 10:01:30 +0000 (UTC) Received: from mail.Go2France.com (ms1.meiway.com [81.255.84.73]) by VirusGate.MEIway.com (Postfix) with ESMTP id BFF673884FF for ; Sun, 24 Mar 2013 11:01:23 +0100 (CET) (envelope-from LConrad@Go2France.com) Received: from W500.Go2France.com [72.48.240.99] by mail.Go2France.com with ESMTP (SMTPD32-7.07) id AEEF83B0246; Sun, 24 Mar 2013 11:01:19 +0100 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sun, 24 Mar 2013 05:01:09 -0500 To: freebsd-questions@freebsd.org From: Len Conrad Subject: Re: Client Authentication In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <201303241101935.SM01804@W500.Go2France.com> X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 10:01:31 -0000 At 11:22 PM 3/23/2013, you wrote: >I am not sure this is the best place to ask this, but I didn't see any other maillists that seemed more appropriate. > >Basically, my outgoing mail server is being systematically attacked to try passwords looking for one that works. brute force attacks are easily blocked with pf's connection rate-limiting. Because our mail users are not world travellers, we use PF to block sending IPs by country. Any IP that TCP connects x times in y minutes to your mail server gets blocked for z hours. Cracked passwords on our mail users seem to be stolen by infections or phished rather than obtained by brute force. Our sender rate-limiting has three levels Our outbound server (postfix + postfwd) has per-sender rate limiting, which has totally stopped the really high volume password cracks. We have 3 levels of rate limiting. 1. 2000 msgs limit for every sender. We chose 2000 by identifying a handful of legit habitual senders of up to 1500 msgs, who are whitelisted from rate-limiting for the following levels. 2. 700 msgs limit for senders who habitually send up to 500 msgs, who are whitelisted from the following limit. 3 50 msgs limit for all senders who are not whitelisted above. Rate limiting causes the msgs to be held, not discarded or rejected, with an alert msg to the mail admin, who then inspects the held msgs for releasing or deleting. All the cert and PIN stuff appears to be theoretical suggestions not based on experience, since while effective, it would be a practical nightmare of training and maintenance. Len