On 2012-01-11 2:05 PM, huret deffgok wrote:
On Wed, Jan 11, 2012 at 7:04 PM, Charles Marcus wrote:
On 2012-01-11 1:00 PM, huret deffgok wrote:
This post is slightly OT, I hope no one will take offense. I was following the wiki on using dovecot LDA with postfix and implemented, for our future mail server, the address extensions mechanism: an email sent to "validUser+foldername@**mydomain.comvalidUser%2Bfoldername@mydomain.com" will have dovecot-lda automagically create and subscribe the "foldername" folder. With some basic scripting I was able to create hundreds of folders in a few seconds. So my question is how do you implement this great feature in a secure way so that funny random people out there cant flood your mailbox with gigatons of folder.
Don't have it autocreate the folder...
Seriously, there is no way to provide that functionality and have the system determine when it is *you* doing it or someone else...
But I think it is a non problem... how often do you receive plus-addressed spam??
None from now. But I was thinking about something like malice rather than spamming. For me it's an open door to DOS the service. What about a functionality that would throttle the rate of creation of folders from one IP address, with a ban in case of abuse ? Or maybe should I look at the file system level.
Again - and no offense - but I think you are tilting at windmills...
If you get hit by this, you will not only have thousands or millions of folders, you'll have one email for each folder. So, the question is, how do you prevent being flooded with spam... and the answer is, decent anti-spam measures.
I prefer ASSP, but I just wish you could use it as an after queue content filter (for its most excellent content filtering and more importantly quarantine management/block reporting features/functionality). That said, postfix, with sane anti-spam measures, along with the most excellent new postscreen (available in 2.8+ I believe) is good enough to stop most anything like this that you may be worried about.
Like I said, set up postfix (or your smtp server) right, and this is a non-issue.
--
Best regards,
Charles