postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: anvil stats/restictions based on SASL usernam

Re: anvil stats/restictions based on SASL username?

From: John Fawcett <john.ml_at_nospam>
Date: Wed Oct 27 2010 - 05:14:04 GMT
To: postfix-users@postfix.org

On 27/10/10 02:21, Cassidy Larson wrote:
> This got me wondering if there's any easy way to have anvil report
> stats based on the authenticated SASL username, in addition to the
> remote IP address?
>
> This would help me prevent/monitor potential addresses that are being
> used by a botnet system to relay mails through my mail server.
>
>

I use a utility run from cron to parse the sasl username from the postfix
logs. It keeps track of how many logins and ips in a given timeframe.
It can block abused accounts (either via updating a postfix access
file or via a mysql query if user accounts are kept in mysql) based
on exceeding limit on number of logins or limit on number of
different ips per unique login

I have put it in sourceforge:

http://sourceforge.net/projects/checkauthlog/

While not a real time solution (like a policy daemon or the
introduction of a new parameter in postfix for rate limiting
sasl logins) it can be run frequently from cron making the
window of abuse small.

I wrote it for my own use, it may be of use for others, feedback on
it is welcome.

John