Am 24.11.2011 09:41, schrieb Robert Schetterer: > Hi, just for my clarification > > faq says: > When an SMTP client makes too many connections at the same time, or when > all postscreen(8) ports are busy, postscreen(8) rejects the connection > with a 421 status code and logs: > > NOQUEUE: reject: CONNECT from [address]:port: too many connections > NOQUEUE: reject: CONNECT from [address]:port: all server ports busy > > The postscreen_client_connection_count_limit and > postscreen_pre_queue_limit parameters control these limits > > status: i wanna slow down postscreen, as i do > grep the log to build dynamic firewall rules > but as the high number of bots this doesnt work fast enough > ( for the moment i think all speed up that was possible was done on this > side ), i only use zen.spamhaus.org catches via a rsyslog filtered log, > iptables recent is also used, blocking whole coutries didnt help > > more 421 would be ok to me, as it does not relate > to "dunno" networks > > so question if i reduce > postscreen_client_connection_count_limit and postscreen_pre_queue_limit > will it affect network/24 dunno too, and will help slow down other cons > > > yet i have > > postscreen_dnsbl_sites = zen.spamhaus.org, list.dnswl.org*-5 > postscreen_dnsbl_threshold = 1 > postscreen_dnsbl_action = enforce > postscreen_access_list = permit_mynetworks, > cidr:/etc/postfix/postscreen_access.cidr > postscreen_blacklist_action = drop > postscreen_greet_action = enforce > postscreen_hangup_action = drop > smtp_tls_block_early_mail_reply = yes > postscreen_bare_newline_action = drop > postscreen_bare_newline_enable = yes > postscreen_non_smtp_command_enable = yes > postscreen_pipelining_enable = yes > > smtp inet n - n - 1 postscreen > smtpd pass - - n - - smtpd > dnsblog unix - - n - 0 dnsblog > tlsproxy unix - - n - 0 tlsproxy > > /etc/postfix/postscreen_access.cidr > network/24 dunno > >
sorry for answering myself lowering postscreen_pre_queue_limit seems ok and doesnt hurt "whitelisted" nets postscreen_client_connection_count_limit was allready set very low so i play around now , see whats happening -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
