Rate limit based on auth user instead of IP address

Rate limit based on auth user instead of IP address

Post by Jason Alde » Fri, 03 Jul 2009 06:26:07


To help limit the damage when a user succumbs to a phisher and gives
their password, I'd like to customize the RateControl and ConnControl
rulesets to limit based on the name of the authenticated user rather
than the client IP address. (They have started exploiting a
legitimate IP that I can't block or limit.)

I was (naively?) hoping I could substitute {auth_authen} for
{client_addr} and define as Local_check_mail instead of check_relay so
that auth_authen would be available, but this results in all
connections being rejected with the "rate limit exceeded" error. Does
anyone have advice on how to make this work?

SLocal_check_mail
R$* $: <A:$&{auth_authen}> <E:>
R$+ $: $>SearchList <! ClientRate> $| $1 <>
R<?> $@ OK
R<$* <TMPF>> $#error $@ 4.3.0 $: "451 Temporary system failure.
Please try again later."
R<0> $@ OK no limit
R<$+> $: <$1> $| $(arith l $@ $1 $@ $&{client_rate} $)
R<$+> $| TRUE $#error $@ 4.3.2 $: 421 Connection rate limit
exceeded.

Jason
 
 
 

Rate limit based on auth user instead of IP address

Post by Carl Bying » Fri, 03 Jul 2009 09:42:40

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1





The standard answer to those sorts of policy based decisions is a
milter. Among other things, < http://www.yqcomputer.com/ ; can do
what you want.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFKTAJoL6j7milTFsERApE/AJ0fCCT2CdTg50baVgGW0W6j30c29gCeNJFY
LxSIGaIKw+9xpcbKvmi8BNw=
=dyNn
-----END PGP SIGNATURE-----

 
 
 

Rate limit based on auth user instead of IP address

Post by Jason Alde » Fri, 03 Jul 2009 23:46:17


Having spent some time investigating, I'm still curious to know if
this ruleset could be used in this way. If not, I can use the milter,
though I was hoping to avoid running milters on this server.

Thanks for the tip.
 
 
 

Rate limit based on auth user instead of IP address

Post by Carl Bying » Sat, 04 Jul 2009 08:58:15

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




I don't know the answer to your question. But imposing a rate limit per ip
on client connections, it is reasonable that that limit might be a single
global limit. When imposing rate limits on authenticated users, you
probably want or need different limits for different users, or at least
different classes of users. Which is probably more complicated than the
built-in sendmail rate limits can handle.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFKTUl0L6j7milTFsERAvmRAJ9UPDNnaZz8xil3naWLLzY3Ob/ZnACfeL7c
xLoErKG17XXy8UsK8kIqazY=
=QgH2
-----END PGP SIGNATURE-----
 
 
 

Rate limit based on auth user instead of IP address

Post by Sciuru » Sat, 04 Jul 2009 22:01:04

> global limit. When imposing rate limits on authenticated users, you

Some time ago password for one mail account was stolen due to brute
force attack. Spammer used smtp-auth and filled up Internet with spam
through my mail server. I use features ratecontrol & conncontrol, but
they can not help to restrict this kind of spammer. IPs are different.
So I think feature authcontrol will be very useful even if it will be
one value for all authenticated users.
 
 
 

Rate limit based on auth user instead of IP address

Post by Carl Bying » Sun, 05 Jul 2009 04:10:47

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Yes, and such scenarios are exactly why I added rate limits for
authenticated users to my milter.


My point is that yes, you might have one default global value, perhaps
something like 30 messages per hour (depending of course on the
characteristics of your user base), but you might also have one particular
user (eg. the CEO) that periodically sends an email to 100 employees. That
user may need a different limit than the rest of the users. Yes, setting
up a proper mailing list is the right way to go, but not all sites are
willing to do that.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFKTlefL6j7milTFsERAiIHAJ9sBwW4cjS0Y3tvsifLA7rQ8Ie77ACfcAxN
W8FtjAILllult5+6Ow3uQgs=
=WyYa
-----END PGP SIGNATURE-----
 
 
 

Rate limit based on auth user instead of IP address

Post by jmaimo » Wed, 08 Jul 2009 00:45:08


I would make sure to check that auth_authen actually has a value
before proceeding.

R$* $: <A:$&(auth_authen}> <E:>
R<A:><E:> $@ OK

Run it through rule testing mode with debugging turned on. You would
define the auth_authen and client_rate macros yourself in rule testing
mode.

Even were it to work, it may not be what you want. Connection rate per
auth credentials is not tracked by the binary, so you would be
limiting the user based on the overall rate of the client address.

While this would allow you to only implement the limit for
authenticated users from that single address, it wouldnt allow you to
rate limit the authenticated user across multiple addresses.
 
 
 

Rate limit based on auth user instead of IP address

Post by Jason Alde » Wed, 08 Jul 2009 06:07:20


> > R$+ gt;$: $>SearchList >! Client>at>><gt;$| $&<t; <>
> > R>gt;<$@&<t;>K
> > R<$* > #error $@ 4.3.0 $: "451 Tempor>r> system failure.
> > Pleas> >ry a&<t;ain later."
> > R<0> gt;gt;@><OK lt;gt;no limit
> > R<$+> $: <$1> $| $(>r>th l <gt;@ $1 $@ $&{client_rate} $)
> > R<$+> $| TRUE $#error $> >.3.2 $: 421 >on>e>tion rat> l>mit
> > exceeded.
>
> > Jason
>
> I would make sure to check t>at auth_authen actual>y >as a value
> before proceedi<g.> >
> R @ O<

I> wor>s <s
><$* <gt; $:
R $@ OK

The solution was to change A: to E:, found in th> comments for
SearchList in cf/m4/proto.m4.

> While this >ould allow you to only implement the limit for
> authenticated users fr>m that single address, it wouldnt allow you to
> rate limit the authenticated user across multiple addresses.

Right. The bigger problem is that it's practically useless for
limiting specific users when they all come from the same IP, as is my
case.

So I will install the milter...

Thanks for the advice.