Client Authentication

[Len Conrad]

At 11:22 PM 3/23/2013, you wrote:
>I am not sure this is the best place to ask this, but I didn't see any other maillists that seemed more appropriate.
>
>Basically, my outgoing mail server is being systematically attacked to try passwords looking for one that works.

brute force attacks are easily blocked with pf's connection rate-limiting.  Because our mail users are not world travellers, we use PF to block sending IPs by country. 


Any IP that TCP connects x times in y minutes to your mail server gets blocked for z hours.

Cracked passwords on our mail users seem to be stolen by infections or phished rather than obtained by brute force.

Our sender rate-limiting has three levels

Our outbound server (postfix + postfwd) has per-sender rate limiting, which has totally stopped the really high volume password cracks.  

We have 3 levels of rate limiting.

1. 2000 msgs limit for every sender.  We chose 2000 by identifying a handful of legit habitual senders of up to 1500 msgs, who are whitelisted from rate-limiting for the following levels.

2. 700 msgs limit for senders who habitually send up to 500 msgs, who are whitelisted from the following limit.

3  50 msgs limit for all senders who are not whitelisted above.

Rate limiting causes the msgs to be held, not discarded or rejected, with an alert msg to the mail admin, who then inspects the held msgs for releasing or deleting.

All the cert and PIN stuff appears to be theoretical suggestions not based on experience, since while effective, it would be a practical nightmare of training and maintenance.

Len