On 7/7/2011 11:20 PM, ricardus1867 wrote:
> > While crawling trough my logs, I've noticed a couple of bots getting
> > rejected because of Improper use of SMTP command pipelining because of
> the
> > reject_unauth_pipelining in smptd_recipient_restrictions. So I decided
> to
> > give the old "sleep" trick a try. Only for unknown hosts, ofc...
> Sounds as if it was working just fine before you started
> mucking with it. My first thought is broken test procedures.
> Which you don't describe. Or improper analysis of evidence.
> Which you don't provide.
Well, yeah. It was working fine. Still does. Except for the pipelining
restriction...
Test procedure: open a telnet connection to the mail server and typing in
the commands
HELO example.com
MAIL From:<>
RCPT To:<j...@example.com>
DATA
Test
.
before the sleep expires (i.e. before getting 220 example.com ESMTP Postfix
in response).
With the suggested implementation (well, changing the sleeptime to 15 since
I can't copy and paste that fast), the message gets delivered. That's what
you meant by "test procedure" and "analysis of evidence", right? English
ain't my first language...
> smtpd_delay_reject changes the timing of postfix restrictions.
> It is strongly recommended to leave this at the default setting.
I know. I leave all other restrictions in smtpd_recipient_restrictions
though, so they get delayed anyway. It's more of a curiousity how much spam
this would block since a few bots already got rejected because of improper
pipelining without sleeping...
> > ...
> > I'm using postfix 2.8.3 btw.
> The sleep pseudo-restriction was a nice hack when nothing
> better was available, but could cause more trouble than it was
> worth by tying up valuable resources, and it made it too easy
> to penalize everyone to catch a handful of bad actors.
> Instead of sleep, use the postscreen feature in 2.8 to get the
> grown-up version of improper pipelining and early talking
> detection.
I agree that there are better ways to fight spam. But I still wonder "what
if" and I still don't understand why postfix behaves as it does.
Btw, as I said, I only lets unknown hosts sleep. A cronjob checks every 15
minutes for IPs that successfully delivered their first message and adds
them to the "known clients" lists. Known (and whitelisted) clients do not
have to sleep...
Regards
ricardus
--
View this message in context:
http://old.nabble.com/reject_unauth_pipelining-not-working-as-I%27d-expect-%28bug-%29-tp32018797p32019060.html
Sent from the Postfix mailing list archive at Nabble.com.
