Quoting Benny Pedersen me@junc.eu:
On 2021-07-15 16:49, Alex wrote:
What about something like what we used to do with pop-b4-smtp to at least restrict by IP address?
no, pop was not handle million of users share one single nat ip,
weekforce cant handle that either, so allow_net cant do any better
there
Well no, but I thought the problem to be solved was 'prevent
compromised credentials from abusing SMTP'. Certs do that, but with
high overhead.
OTOH, going off Alex's suggestion, you could tie the IMAP or POP Auth
into an iptables rule that allows that IP to use SMTP for x minutes.
Basically, the opposite of fail2ban - 'auth2allow' :)
You could probably use fail2ban, just adjust the log regex's and the
action appled.
The odds of an abuser coming from the same IP are pretty slim, and if
the system itself is compromised, they're going to have the cert
anyways.
In my experience, most clients do SMTP after the POP or IMAP check..
I'd expect issues to be minimal.
Rick