Rate limits on mynetworks Hosts

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Rate limits on mynetworks Hosts

craigmyster
I have some hosts in mynetworks.  They cannot handle authentication but I
want to apply the rate limits to them too.  Is there anyway I can allow them
to relay but apply the rate limits to them?  Below is my current config.

#150 Recipients/Mail mesasge
smtpd_recipient_limit = 150
#Exclude these dudes.
smtpd_client_event_limit_exceptions=111.111.111.111/32, 111.111.111.112/32
#Limit to 2 Connections Per Client
smtpd_client_connection_count_limit=2
#Limit to 10 Connection attempts/Client/anvil_rate_time_unit
smtpd_client_connection_rate_limit=10
#Limit to 15 messages every anvil_rate_time_unit
smtpd_client_message_rate_limit=15
#Unit Time is 240 Seconds
anvil_rate_time_unit=240

Reply | Threaded
Open this post in threaded view
|

Re: Rate limits on mynetworks Hosts

Barney Desmond
2009/10/19 Craig Watson <[hidden email]>:
> I have some hosts in mynetworks.  They cannot handle authentication but I
> want to apply the rate limits to them too.  Is there anyway I can allow them
> to relay but apply the rate limits to them?  Below is my current config.

I believe the correct way is to use a policy service:
http://www.postfix.org/SMTPD_POLICY_README.html

> #150 Recipients/Mail mesasge
> smtpd_recipient_limit = 150

I'm not sure if this low limit breaks any RFCs, but in any case a
client can get around this by making another connection. You're
attempting to then rate-limit the connections below, but it's not
really a "good" way of doing it.

> #Exclude these dudes.
> smtpd_client_event_limit_exceptions=111.111.111.111/32, 111.111.111.112/32
> #Limit to 2 Connections Per Client
> smtpd_client_connection_count_limit=2
> #Limit to 10 Connection attempts/Client/anvil_rate_time_unit
> smtpd_client_connection_rate_limit=10
> #Limit to 15 messages every anvil_rate_time_unit
> smtpd_client_message_rate_limit=15
> #Unit Time is 240 Seconds
> anvil_rate_time_unit=240

It doesn't seem to be in the official anvil docs
(http://www.postfix.org/anvil.8.html), but I'm sure Wietse and others
will be happy to jump in and point out that anvil is NOT for
policy-based rate-limiting (so such usage probably won't be supported)
- it's an anti-DoS measure against malicious or runaway clients. It's
also a very crude tool for the job - I can't tell you off the top of
my head just what the limit is you're attempting to enforce there,
maybe it's 2250 per 4min, maybe it's 1500, maybe it's something else.
Reply | Threaded
Open this post in threaded view
|

RE: Rate limits on mynetworks Hosts

craigmyster
The smtpd_recipient_limit was just an example parameter.  In the following documentation http://www.postfix.org/postconf.5.html it says that all of these connection_rate settings unit time intervals are based on what anvil_rate_time_unit is set to.   So I set the time accordingly to test.  I wanted 15 messages/client every 4 minutes and a maximum of 2 concurrent connections with up to 10 connections every 4 minutes. Just to stop some runaway clients that get taken over by spammers and torture my senderbase scores.

Is there any policy server that does connection rate tracking?   I do not want to use this crude way of doing as I am trying to test now and I wondered weather someone had already invented that wheel so I can re-target using the policy based method? I already use the policy server for greylisting and spf checking.


Thanks for the advice in advance.
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Barney Desmond
Sent: Monday, October 19, 2009 10:07 PM
To: [hidden email]
Subject: Re: Rate limits on mynetworks Hosts

2009/10/19 Craig Watson <[hidden email]>:
> I have some hosts in mynetworks.  They cannot handle authentication but I
> want to apply the rate limits to them too.  Is there anyway I can allow them
> to relay but apply the rate limits to them?  Below is my current config.

I believe the correct way is to use a policy service:
http://www.postfix.org/SMTPD_POLICY_README.html

> #150 Recipients/Mail mesasge
> smtpd_recipient_limit = 150

I'm not sure if this low limit breaks any RFCs, but in any case a
client can get around this by making another connection. You're
attempting to then rate-limit the connections below, but it's not
really a "good" way of doing it.

> #Exclude these dudes.
> smtpd_client_event_limit_exceptions=111.111.111.111/32, 111.111.111.112/32
> #Limit to 2 Connections Per Client
> smtpd_client_connection_count_limit=2
> #Limit to 10 Connection attempts/Client/anvil_rate_time_unit
> smtpd_client_connection_rate_limit=10
> #Limit to 15 messages every anvil_rate_time_unit
> smtpd_client_message_rate_limit=15
> #Unit Time is 240 Seconds
> anvil_rate_time_unit=240

It doesn't seem to be in the official anvil docs
(http://www.postfix.org/anvil.8.html), but I'm sure Wietse and others
will be happy to jump in and point out that anvil is NOT for
policy-based rate-limiting (so such usage probably won't be supported)
- it's an anti-DoS measure against malicious or runaway clients. It's
also a very crude tool for the job - I can't tell you off the top of
my head just what the limit is you're attempting to enforce there,
maybe it's 2250 per 4min, maybe it's 1500, maybe it's something else.