|Main Archive Page > Month Archives > postfix-users archives|
On 27/10/10 02:21, Cassidy Larson wrote:
> This got me wondering if there's any easy way to have anvil report
> stats based on the authenticated SASL username, in addition to the
> remote IP address?
> This would help me prevent/monitor potential addresses that are being
> used by a botnet system to relay mails through my mail server.
I use a utility run from cron to parse the sasl username from the postfix
logs. It keeps track of how many logins and ips in a given timeframe.
It can block abused accounts (either via updating a postfix access
file or via a mysql query if user accounts are kept in mysql) based
on exceeding limit on number of logins or limit on number of
different ips per unique login
I have put it in sourceforge:
While not a real time solution (like a policy daemon or the
introduction of a new parameter in postfix for rate limiting
sasl logins) it can be run frequently from cron making the
window of abuse small.
I wrote it for my own use, it may be of use for others, feedback on
it is welcome.