Loading ...
Sorry, an error occurred while loading the content.

Connection rate limiting is ignoring check_recipient_access?

Expand Messages
  • Geoff
    Sorry if this has been covered before - I couldn t find anything similar in the archives. I m running 2.2.10 and have my rate limiting params as shown below
    Message 1 of 6 , Jul 2, 2006
    View Source
    • 0 Attachment
      Sorry if this has been covered before - I couldn't find anything similar in the archives.

      I'm running 2.2.10 and have my rate limiting params as shown below (from postconf -n).

      The intention is to limit connections from spammers to not more than 1 per 5 minutes. Rate limiting works just fine with the exception of when the first connections are REJECTed by check_recipient_access. If you look at the extract from the maillog shown below you can see that the first 6 connections from this spammer were rejected by check_recipient_access but were ignored for connection rate counting purposes - it was only when one got as far as reject_unverified_sender that it registered as a 'hit' on the connection count. All further connections within the 5 minute period were then rejected as expected.

      Is this correct behaviour? This has effectively allowed this spammer 7 connections in 15s and effectively bypassed the rate limit. I thought one of the tenets of the rate limiting approach was to slow spammers down to a crawl so they get bored and go somewhere else! By ignoring the initial connections Postfix is still allowing the spammer access for "address-validation" purposes.

      Your thoughts please? Thanks.
      Geoff.

      --
      anvil_rate_time_unit = 300s
      smtpd_client_connection_count_limit = 5
      smtpd_client_connection_rate_limit = 1
      smtpd_client_event_limit_exceptions = $mynetworks .[a trusted domain].co.uk

      smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/reject_clients
      smtpd_data_restrictions = reject_unauth_pipelining
      smtpd_end_of_data_restrictions =
      smtpd_etrn_restrictions = reject
      smtpd_helo_restrictions =
      smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/reject_recipients, check_sender_access hash:/etc/postfix/allow_senders, reject_unverified_sender
      smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/reject_senders,
      body_checks = regexp:/etc/postfix/reject_bodies
      header_checks = regexp:/etc/postfix/reject_headers


      Jun 28 22:03:23 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
      Jun 28 22:03:24 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <webmaster@...>: Recipient address rejected: Domain not known; from=<Mallory.Nelson@...> to=<webmaster@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
      Jun 28 22:03:28 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <uucp@...>: Recipient address rejected: Domain not known; from=<Tessa.Gamble@...> to=<uucp@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
      Jun 28 22:03:28 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <test@...>: Recipient address rejected: Domain not known; from=<Tessa.Gamble@...> to=<test@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
      Jun 28 22:03:29 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <support@...>: Recipient address rejected: Domain not known; from=<Tracey.Blount@...> to=<support@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
      Jun 28 22:03:30 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <service@...>: Recipient address rejected: Domain not known; from=<Daphne.Starks@...> to=<service@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
      Jun 28 22:03:31 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <sales@...>: Recipient address rejected: Domain not known; from=<Gordon.Joyce@...> to=<sales@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
      Jun 28 22:03:36 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 554 <Gordon.Joyce@...>: Sender address rejected: undeliverable address: host mx4.earthlink.net[209.86.93.229] said: 550 Gordon.Joyce@......User unknown (in reply to RCPT TO command); from=<Gordon.Joyce@...> to=<root@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
      Jun 28 22:03:38 shoebox postfix/smtpd[18206]: lost connection after DATA from unknown[202.101.73.90]
      Jun 28 22:03:38 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
      Jun 28 22:03:41 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
      Jun 28 22:03:41 shoebox postfix/smtpd[18206]: warning: Connection rate limit exceeded: 2 from unknown[202.101.73.90] for service smtp
      Jun 28 22:03:41 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
      Jun 28 22:03:42 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
      Jun 28 22:03:42 shoebox postfix/smtpd[18206]: warning: Connection rate limit exceeded: 3 from unknown[202.101.73.90] for service smtp
      Jun 28 22:03:42 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
      etc.
    • Ralf Hildebrandt
      ... They occured in the same connection. Note that all entries have the ... One connection ... Lots of errors ... And the connection is gone. -- Ralf
      Message 2 of 6 , Jul 2, 2006
      View Source
      • 0 Attachment
        * Geoff <postfix@...>:

        > The intention is to limit connections from spammers to not more than 1
        > per 5 minutes. Rate limiting works just fine with the exception of
        > when the first connections are REJECTed by check_recipient_access. If
        > you look at the extract from the maillog shown below you can see that
        > the first 6 connections from this spammer were rejected by
        > check_recipient_access but were ignored for connection rate counting
        > purposes

        They occured in the same connection. Note that all entries have the
        smtpd PID of 18206:

        > Jun 28 22:03:23 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
        One connection
        > Jun 28 22:03:24 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <webmaster@...>: Recipient address rejected: Domain not known; from=<Mallory.Nelson@...> to=<webmaster@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
        > Jun 28 22:03:28 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <uucp@...>: Recipient address rejected: Domain not known; from=<Tessa.Gamble@...> to=<uucp@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
        > Jun 28 22:03:28 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <test@...>: Recipient address rejected: Domain not known; from=<Tessa.Gamble@...> to=<test@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
        > Jun 28 22:03:29 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <support@...>: Recipient address rejected: Domain not known; from=<Tracey.Blount@...> to=<support@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
        > Jun 28 22:03:30 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <service@...>: Recipient address rejected: Domain not known; from=<Daphne.Starks@...> to=<service@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
        > Jun 28 22:03:31 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <sales@...>: Recipient address rejected: Domain not known; from=<Gordon.Joyce@...> to=<sales@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
        > Jun 28 22:03:36 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 554 <Gordon.Joyce@...>: Sender address rejected: undeliverable address: host mx4.earthlink.net[209.86.93.229] said: 550 Gordon.Joyce@......User unknown (in reply to RCPT TO command); from=<Gordon.Joyce@...> to=<root@...> proto=ESMTP helo=<Y0001.qoi3ilii.org>
        Lots of errors
        > Jun 28 22:03:38 shoebox postfix/smtpd[18206]: lost connection after DATA from unknown[202.101.73.90]
        > Jun 28 22:03:38 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
        And the connection is gone.

        --
        Ralf Hildebrandt (Ralf.Hildebrandt@...) spamtrap@...
        Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155
        http://www.postfix-buch.com
        I work for an investment bank. I have dealt with code written by stock
        exchanges. I have seen how the computer systems that store your money
        are run. If I ever make a fortune, I will store it in gold bullion
        under my bed.
      • Ralf Hildebrandt
        ... Connections or mails? One connection can be used for many emails - remeber connection caching! You may want to look at: smtpd_client_recipient_rate_limit
        Message 3 of 6 , Jul 2, 2006
        View Source
        • 0 Attachment
          * Geoff <postfix@...>:

          > The intention is to limit connections from spammers to not more than 1
          > per 5 minutes.

          Connections or mails? One connection can be used for many emails -
          remeber connection caching!

          You may want to look at:
          smtpd_client_recipient_rate_limit
          smtpd_client_message_rate_limit

          Which I have in my 2.3-RC2.

          --
          Ralf Hildebrandt (Ralf.Hildebrandt@...) spamtrap@...
          Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155
          http://www.postfix-buch.com
          You are being trampled by the MSN drunken elephant in a tutu.
          Contact MSN to get off their blacklist.
        • Geoff
          ... D oh! Of course - silly me! So I would be better using smtpd_client_message_rate_limit = 1 (in place of smtpd_client_connection_rate_limit = 1 ) to
          Message 4 of 6 , Jul 2, 2006
          View Source
          • 0 Attachment
            >
            >They occured in the same connection. Note that all entries have the
            >smtpd PID of 18206:

            D'oh! Of course - silly me! So I would be better using 'smtpd_client_message_rate_limit = 1' (in place of 'smtpd_client_connection_rate_limit = 1') to prevent this?

            Thanks.
          • Geoff
            ... Indeed - I really meant mails :-) ... smtpd_client_message_rate_limit seems to fit the bill. Thanks for the help and the quick reply.
            Message 5 of 6 , Jul 2, 2006
            View Source
            • 0 Attachment
              >> The intention is to limit connections from spammers to not more than 1
              >> per 5 minutes.
              >
              >Connections or mails? One connection can be used for many emails -
              >remeber connection caching!

              Indeed - I really meant 'mails' :-)


              >You may want to look at:
              >smtpd_client_recipient_rate_limit
              >smtpd_client_message_rate_limit

              smtpd_client_message_rate_limit seems to fit the bill. Thanks for the help and the quick reply.
            • Ralf Hildebrandt
              ... No problem: Good way of asking - good/fast/plentyful of answers -- Ralf Hildebrandt (Ralf.Hildebrandt@charite.de) spamtrap@charite.de Postfix -
              Message 6 of 6 , Jul 2, 2006
              View Source
              • 0 Attachment
                * Geoff <postfix@...>:

                > smtpd_client_message_rate_limit seems to fit the bill. Thanks for the help and the quick reply.

                No problem: Good way of asking -> good/fast/plentyful of answers

                --
                Ralf Hildebrandt (Ralf.Hildebrandt@...) spamtrap@...
                Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155
                http://www.postfix-buch.com
                It is impossible to sharpen a pencil with a blunt axe. It is equally
                vain to try to do it with ten blunt axes instead. -- E. W. Dijkstra
              Your message has been successfully submitted and would be delivered to recipients shortly.