On Fri, May 22, 2009 at 03:23:07PM +0100, Steve wrote:
> The appliance I took apart had a nice rate control feature. The crux of
> it was the ability to set connection limit on a per IP basis in 30
> minutes. You could *NOT* change this time window, but could change the
> limit thus;
>
> 50 connections in 30 minutes, 60 connections in 30 minutes ... 200
> connections in 30 minutes etc.
>
> What it would do is something like this:
> Connection 51 come in, it defers with a 45x error (temp) and starts a
> new timer.
Connection rate (rather than concurrency) limits are rather risky,
a site with legitimate mail to send, and a lot of senders, may not be
able to deliver any mail to you in the face of a load-spike.
Anvil can do just this, but (especially rate rather than concurrency
controls) such controls are not recommended for fine-grained limits
close to the expected transmission rate. Rather the limits should be
very generous, intended to prevent wizards-apprentice accidents, ...
> If that IP presents another '50' connections in the new
> window of 30 minutes - say connections 51-101 - they will also be given
> 45x errors. If connection 102 falls inside this period it then starts
> giving 55x errors to that IP. It will reset when it sees nothing from
> that IP in 30 minutes.
This is really lame rate control mechanism. It fails catastrophically
when a legitimate site has a spike of email in your direction. Consider
generous connection concurrency limits, and avoid rate limits unless
they are very generous, and would NEVER be hit by a legitimate sender.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
