OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Re[2]: per-ip ADDRESS session limit
From: Ronald F. Guilmette (rfgmonkeys.com)
Date: Wed Aug 09 2000 - 12:34:11 CDT

In message <20000809170130.857E445639spike.porcupine.org>,
Wietse wrote:

>Martin McFlySr:
>> no, i'm talk about per-ipaddress-limit for incoming smtp sessions.
>
>That is presently not implemented.
>
>> Postfix run as standalone (master), and no otherside tools can't limit
>> number of SMTP session per ip address.
>
>Of course they can.
>
>You can have a program that watches the maillog file (*), looking
>for the connect/disconnect logfile entries, and adding a REJECT
>rule to the SMTPD access table when a client misbehaves, like making
>connections too rapidly one after the other, or making too many
>connections at the same time.

While I'm quite sure that a lot of different types of ``access control''
problems (for lack of a better catch-all term)... including the access
control feature that _i'm_ working on (outflow rate limiting)... could
be solved with external hacks that watch the log files, I really think
that log file watchers are a clearly sub-optimal approach for implementing
limitations that could be, and probably should be, implemented more simply,
more cleanly, and more efficiently directly within smtpd.

I understand that smtpd is security sensitive, and thus it shouldn't be
bloated by too much unnecessary fluff, but access control, to my way of
thinking, is not ``fluff'' in any sense. It's important stuff. Controlling
how, when, and by whom the server can be used is clearly central to the
server's functionality and its security, especially in our modern age
(of spam).