1

I have bad actors attempting to figure out valid user names on my exim4 server. Many times a day, I'll get a connection that tries 100 RCPT commands with random-ish account names. They have the correct domain, and plausible user names, but so far, they haven't hit on a valid user name. This all happens in less than one second. It seems to be exactly 100 attempts every time. How can I limit how many bad RCPT commands can be issued per session? These attempts originate at different IP addresses every time and happen so fast that fail2ban can't help.

Thanks

Shay Walters
  • 303
  • 2
  • 6

1 Answers1

0

Check exim4 access control lists configuration.

You need to set the acl to the maximum number of rcpt you are willing to accept. This is an example from the documentation.

acl_smtp_rcpt:
   drop   condition = ${if > {$rcpt_count}{20}}
          message   = I don't take more than 20 RCPTs
Eduardo Trápani
  • 12,834
  • 1
    The "max_rcpt" setting appears to limit the number of RCPT commands on an outgoing connection. I am having this problem on incoming connections. ie: the remote system is the one issuing the 100 RCPT commands to my server, not the other way around. Maybe I'm misunderstanding this. – Shay Walters Jun 05 '23 at 23:29
  • This looks like it's almost there, but how can I ensure it doesn't apply (a) to authenticated connections (i.e. my local users) or (b) to my defined set of local hosts? – Chris Davies Aug 03 '23 at 15:09