SMTP message rate control on Ubuntu 8.04, preferably with postfix

email postfix spam

5,596

Solution 1

In the end I used policyd which does just this sort of thing. I configured it to limit a single IP address to no more than 10000 messages an hour and 1 GB. Below is a copy of the doc a wrote up for myself in case anyone finds it helpful.

Configuring postfix and policyd

After the packages have been installed make the following changes to their configurations. In /etc/postfix/main.cf add the following line

smtpd_client_restrictions = check_policy_service inet:127.0.0.1:10031

In /etc/postfix-policyd.conf

change WHITELISTING=1 to WHITELISTING=0
change GREYLISTING=1 to GREYLISTING=0
change SENDERTHROTTLE=0 to SENDERTHROTTLE=1
change QUOTA_EXCEEDED_TEMP_REJECT=1 to QUOTA_EXCEEDED_TEMP_REJECT=0
change SENDER_QUOTA_REJECTION="Quota Exceeded." to SENDER_QUOTA_REJECTION="Quota Exceeded, 10,000 messages/hour max!"
change SENDER_SIZE_REJECTION="Message size too big." to SENDER_SIZE_REJECTION="Message size too big. 10Mb per message or 1 Gb/hour max!"
change SENDERMSGLIMIT=512 to SENDERMSGLIMIT=10000
change SENDERRCPTLIMIT=3600 to SENDERRCPTLIMIT=10000
change SENDERQUOTALIMIT=250000000 to SENDERQUOTALIMIT=1000000000
change SENDERMSGSIZE=10240000 to SENDERMSGSIZE=50000000
change SENDER_INACTIVE_EXPIRE=31d to SENDER_INACTIVE_EXPIRE=1h

Solution 2

Possibly interesting for your implementation:

default_destination_concurrency_limit (default: 20)

    The default maximal number of parallel deliveries to the same destination. This is the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and virtual(8) delivery agents. With per-destination recipient limit > 1, a destination is a domain, otherwise it is a recipient.

    Use transport_destination_concurrency_limit to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

Solution 3

Anvil was really meant to limit incoming message rates, not limit outgoing. Think of it as a crude DoS filter.

You might want to look at the settings that pertain to the qmgr portion of postfix. Specifically, you might want to set your concurrency limits to something very low, and your wait-around-in-the-queue times very high. You'll want to set the rate of delivery to something that has a large(r) delay, and also want to lower the number of delivery processes in master.cf.

Have you looked at using qshape to determine what will be an acceptable rate for your internal MTA?

5,596

TimDaMan

I am a UNIX systems admin and mac user at home (is there a difference?). In my free time I like bicycle touring, backpacking, and cooking.

Updated on September 17, 2022

Comments

TimDaMan almost 2 years
Maybe I am chasing a bug but I am trying to set up a smtp proxy of sorts. I have a postfix server which receives all the email for a collection of servers/clients. It them uses a smarthost (relayhost=...) to forward it's mail to our corporate MTA. I would like to limit the number of messages an individual server can relay to prevent swamping the corporate MTA. Postfix has a program called "anvil" that is capable of tracking stats about mail to be used for such things but it doesn't seem to be executed. I ran "inotifywait -m /usr/lib/postfix/anvil" while I started postfix and sent a number of messages through it from a remote server. inotifywait indicated anvil was never run. Anyone gotten postfix/anvil rate controls to work?

main.cf
```
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
myhostname = site-server-q9
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost = Out outgoing mail relay
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 10.X.X.X
smtpd_client_message_rate_limit = 1
anvil_rate_time_unit = 1h
```
master.cf extract
```
anvil     unix  -       -       -       -       1       anvil
smtp      inet  n       -       -       -       -       smtpd
```
TimDaMan almost 15 years

My goal is not to slow anything down, I just want to prevent run away process from taking out the corporate server. That is the deal I made with the exchange team for their services. Mail still needs to be snappy. I reconfigured postfix for local delivery and repeated the test. Message are still ignoring the limit.
TimDaMan almost 15 years

I figured it out!! Anvil doesn't get feed/process data about clients that are in "mynetworks = ..." I changed it to mynetworks = 127.0.0.0/8 and the limit is being obeyed.