On 2/3/2012 6:45 AM, Alex wrote: > Hi, > >>> I have a fedora15 installation with postfix-2.8.7 and would like to >>> throttle the message rate for incoming mail from senders like >>> constantcontact and other bulk senders. I've read about greylisting, >>> but I'm not sure what's what I'm looking for, due to the inherent >>> side-effects. >> >> The cleanest way to do this is with firewall rules that limit the >> number of connections from a specific host or limit the bandwidth >> allotted to them. > > Is there not a way to limit the number of messages sent per > connection? I believe there are very few connections from these > servers, just many new messages for each connections.
You might be tempted to reduce the setting of smtpd_recipient_limit. This may significantly delay incoming mail and will *increase* load on postfix. Reducing the recipient limit increases load by forcing the sender to send you a larger number of messages with fewer recipients. Mail for recipients that are not included in the first attempt will be delayed, possibly by hours or even days. Is there some actual problem you're trying to solve? >> Anything you do in postfix is likely to severely delay incoming mail. >> >> If this is legit mail, what's wrong with accepting it as fast as >> possible? If your server can't stand the load you should reduce >> default_process_limit to something your server can handle. > > I tried limiting the default_process_limit in the past, but this of > course produces "connection refused" to other clients, which > immediately resulted in phone calls from users about our mail server > being down. Your own users should be submitting mail on ports 587 or 465 to prevent this and other problems. There are example entries in master.cf for enabling these ports. > > I had previously done something like this with iptables, but it was > mostly ineffective: > > iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent > --set > iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m > recent --update --seconds 20 --hitcount 5 -j DROP I don't use iptables, but DROP is the wrong thing to do here. I think the action you need is "... -j REJECT --reject-with tcp-reset". Maybe someone else will comment if the rest of the command needs changing. -- Noel Jones
