Hi,
>> I had previously done something like this with iptables, but it was
>> mostly ineffective:
>>
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent
>> --set
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 20 --hitcount 5 -j DROP
>
> why in the world do you DROP here instead notify the remote
> machine with REJECT that you did not accept the connection?
I thought this would cause the sending side to requeue the message
then retry later.
Noel wrote:
> Is there some actual problem you're trying to solve?
Yes, I'd like to avoid having thousands of messages queued as a result
of a bulk-mailer, consequently causing significant delays for all
mail. It seems I'd never be able to create a powerful enough server to
overcome the message rate of the large bulk senders.
> on the other hand the following exists in postfix
>
> anvil_rate_time_unit = 1800s
> smtpd_client_connection_rate_limit = 50
postconf(5) says to not use this to throttle legitimate mail. Is that
not the case? Could bulk mailers such as constantcontact be considered
abuse in this case?
smtpd_client_connection_rate_limit (default: 0)
The maximal number of connection attempts any client is allowed to
make to this service per time unit. The time unit is
specified with the anvil_rate_time_unit configuration parameter.
By default, a client can make as many connections per time unit as
Postfix can accept.
To disable this feature, specify a limit of 0.
WARNING: The purpose of this feature is to limit abuse. It must
not be used to regulate legitimate mail traffic.
Example:
smtpd_client_connection_rate_limit = 1000
Thanks again,
Alex
