Mailing List Archive: catching brute foce smtp auth

catching brute foce smtp auth - what condition?

Apr 12, 2022, 12:24 AM

Post #1 of 3 (248 views)

Hello.

How to catch brute foce smtp auth attempts only? (== bad login or
password provided)

Condition like:

${if eq{$authentication_failed}{1}}

doesn't work because it also catches cases where client cancelled smtp
auth attempt (rfc2554 and "*").

Exim internally sees difference:

535 Incorrect authentication data
501 Authentication cancelled

Ideas?

--
Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: catching brute foce smtp auth - what condition? [ In reply to ]

exim-users at exim

Apr 12, 2022, 1:19 AM

Post #2 of 3 (248 views)

Permalink

On 12/04/2022 08:24, Arkadiusz Mi?kiewicz via Exim-users wrote:
> How to catch brute foce smtp auth attempts only? (== bad login or
> password provided)

> Ideas?

server_condition = ${acl {auth_check} {$auth2}{$auth3}}

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: catching brute foce smtp auth - what condition? [ In reply to ]

exim-users at exim

Apr 12, 2022, 5:15 AM

Post #3 of 3 (248 views)

Permalink

> How to catch brute foce smtp auth attempts only? (== bad login or
> password provided)

https://github.com/Exim/exim/wiki/BlockCracking

> Condition like:
>
> ${if eq{$authentication_failed}{1}}
>
> doesn't work because it also catches cases where client cancelled smtp
> auth attempt (rfc2554 and "*").

Doesn't happen in real life.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/