On 2/3/2012 2:32 PM, Alex wrote: > Hi, > >>> I had previously done something like this with iptables, but it was >>> mostly ineffective: >>> >>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent >>> --set >>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >>> recent --update --seconds 20 --hitcount 5 -j DROP >> >> why in the world do you DROP here instead notify the remote >> machine with REJECT that you did not accept the connection? > > I thought this would cause the sending side to requeue the message > then retry later.
It's much friendlier to tcp reject the connection (not the same as an SMTP 550), which will also cause the sender to requeue. > > Noel wrote: >> Is there some actual problem you're trying to solve? > > Yes, I'd like to avoid having thousands of messages queued as a result > of a bulk-mailer, consequently causing significant delays for all > mail. It seems I'd never be able to create a powerful enough server to > overcome the message rate of the large bulk senders. Consider starting a new thread about speeding up your local delivery. > >> on the other hand the following exists in postfix >> >> anvil_rate_time_unit = 1800s >> smtpd_client_connection_rate_limit = 50 > > postconf(5) says to not use this to throttle legitimate mail. Is that > not the case? Using anvil to rate-limit legit mail will cause delays, possibly hours or days (or never). That doesn't mean you can't do it anyway, just don't complain about it if you don't like the results. -- Noel Jones
