OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bennett Todd (betrahul.net)
Date: Sat Jan 06 2001 - 17:47:59 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    2001-01-04-10:29:23 Wietse Venema:
    > gianpaolo racca:
    > > I tried pop-before-smtp and it works. *but* what if an address get validated
    > > and added to the database, and after another dial-up user (that I don't know)
    > > connect whith the same ip? (it's a remote possibility, but I'm curious).
    > > Maybe every trusted address has an (how long is?) expire time?
    >
    > Every address expires after some time. That is, some process has
    > to run over the Postfix SMTPD access table and remove expired
    > entries. I thought that is all part of pop-before-smtp.

    There are different implementations of pop-before-smtp, but there
    seems to be some agreement that 1/2 hour --- 30 minutes --- amounts
    to a satisfactory grace period after a successful pop login, on the
    grounds that most users configure their mail client programs to poll
    oftener than that, and yet 1/2 hour is a small enough window to
    minimize the danger of someone else getting the addr and spamming
    from it.

    If someone successfully logs in via pop or imap, then immediately
    logs out, and then someone else immediately dials in and gets the
    same IP addr --- the worst case --- they have 1/2 hour to discover
    that your server will let them relay, before it won't again. This
    seems to be an acceptable risk in practice.

    Actually, my pop-before-smtp daemon doesn't have an event scheduler,
    and doesn't use alarms or anything, and tries to minimize the
    frequency with which it must update the db file; so it doesn't even
    check for entries to expire until it must write to the db file to
    add an entry, for a newly-authenticated user. If your server isn't
    getting new auths often enough for you to be comfortable with this
    timing, it's easy to set up a helper daemon using a simple shell
    script that invokes logger to periodically ensure that the daemon
    wakes up and makes a new entry.

    -Bennett

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE6V66uHZWg9mCTffwRAgt5AJ9jpUP0sAcm82/OtS1S+UhfGdVJsgCcDtNV
    viA0TfMBsH4prvSDA8pP9oQ=
    =G5uZ
    -----END PGP SIGNATURE-----