SMTP message rate control on Ubuntu 8.04, preferably with postfix
Solution 1
In the end I used policyd which does just this sort of thing. I configured it to limit a single IP address to no more than 10000 messages an hour and 1 GB. Below is a copy of the doc a wrote up for myself in case anyone finds it helpful.
Configuring postfix and policyd
After the packages have been installed make the following changes to their configurations. In /etc/postfix/main.cf add the following line
smtpd_client_restrictions = check_policy_service inet:127.0.0.1:10031
In /etc/postfix-policyd.conf
- change
WHITELISTING=1
toWHITELISTING=0
- change
GREYLISTING=1
toGREYLISTING=0
- change
SENDERTHROTTLE=0
toSENDERTHROTTLE=1
- change
QUOTA_EXCEEDED_TEMP_REJECT=1
toQUOTA_EXCEEDED_TEMP_REJECT=0
- change
SENDER_QUOTA_REJECTION="Quota Exceeded."
toSENDER_QUOTA_REJECTION="Quota Exceeded, 10,000 messages/hour max!"
- change
SENDER_SIZE_REJECTION="Message size too big."
toSENDER_SIZE_REJECTION="Message size too big. 10Mb per message or 1 Gb/hour max!"
- change
SENDERMSGLIMIT=512
toSENDERMSGLIMIT=10000
- change
SENDERRCPTLIMIT=3600
toSENDERRCPTLIMIT=10000
- change
SENDERQUOTALIMIT=250000000
toSENDERQUOTALIMIT=1000000000
- change
SENDERMSGSIZE=10240000
toSENDERMSGSIZE=50000000
- change
SENDER_INACTIVE_EXPIRE=31d
toSENDER_INACTIVE_EXPIRE=1h
Solution 2
Possibly interesting for your implementation:
default_destination_concurrency_limit (default: 20)
The default maximal number of parallel deliveries to the same destination. This is the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and virtual(8) delivery agents. With per-destination recipient limit > 1, a destination is a domain, otherwise it is a recipient.
Use transport_destination_concurrency_limit to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.
Solution 3
Anvil was really meant to limit incoming message rates, not limit outgoing. Think of it as a crude DoS filter.
You might want to look at the settings that pertain to the qmgr portion of postfix. Specifically, you might want to set your concurrency limits to something very low, and your wait-around-in-the-queue times very high. You'll want to set the rate of delivery to something that has a large(r) delay, and also want to lower the number of delivery processes in master.cf.
Have you looked at using qshape to determine what will be an acceptable rate for your internal MTA?
Related videos on Youtube
TimDaMan
I am a UNIX systems admin and mac user at home (is there a difference?). In my free time I like bicycle touring, backpacking, and cooking.
Updated on September 17, 2022Comments
-
TimDaMan almost 2 years
Maybe I am chasing a bug but I am trying to set up a smtp proxy of sorts. I have a postfix server which receives all the email for a collection of servers/clients. It them uses a smarthost (relayhost=...) to forward it's mail to our corporate MTA. I would like to limit the number of messages an individual server can relay to prevent swamping the corporate MTA. Postfix has a program called "anvil" that is capable of tracking stats about mail to be used for such things but it doesn't seem to be executed. I ran "inotifywait -m /usr/lib/postfix/anvil" while I started postfix and sent a number of messages through it from a remote server. inotifywait indicated anvil was never run. Anyone gotten postfix/anvil rate controls to work?
main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no append_dot_mydomain = no readme_directory = no myhostname = site-server-q9 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost relayhost = Out outgoing mail relay mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.0.0.0/8 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = 10.X.X.X smtpd_client_message_rate_limit = 1 anvil_rate_time_unit = 1h
master.cf extract
anvil unix - - - - 1 anvil smtp inet n - - - - smtpd
-
TimDaMan almost 15 yearsMy goal is not to slow anything down, I just want to prevent run away process from taking out the corporate server. That is the deal I made with the exchange team for their services. Mail still needs to be snappy. I reconfigured postfix for local delivery and repeated the test. Message are still ignoring the limit.
-
TimDaMan almost 15 yearsI figured it out!! Anvil doesn't get feed/process data about clients that are in "mynetworks = ..." I changed it to mynetworks = 127.0.0.0/8 and the limit is being obeyed.