Quoting Benny Pedersen <me@junc.eu>:

On 2021-07-15 16:49, Alex wrote:

What about something like what we used to do with pop-b4-smtp to at
least restrict by IP address?

no, pop was not handle million of users share one single nat ip, weekforce cant handle that either, so allow_net cant do any better there

Well no, but I thought the problem to be solved was 'prevent compromised credentials from abusing SMTP'.  Certs do that, but with high overhead.

OTOH, going off Alex's suggestion, you could tie the IMAP or POP Auth into an iptables rule that allows that IP to use SMTP for x minutes.
Basically, the opposite of fail2ban - 'auth2allow'  :)
You could probably use fail2ban, just adjust the log regex's and the action appled.

The odds of an abuser coming from the same IP are pretty slim, and if the system itself is compromised, they're going to have the cert anyways.

In my experience, most clients do SMTP after the POP or IMAP check..  I'd expect issues to be minimal.

Rick