On 2/28/2012 8:37 PM, Alex wrote:
> Hi,
>
>> Now that you done some optimization, kick default_process_limit back
>> down to 200 and see it that works. If so, keep backing it off by 25
>> each time until you start to see the slowdown again. Then bump it back
>> up by 10 and leave it.
>>
>> Next I'd look at smtp-amavis and see if it's keeping up with demand. If
>> it can't service requests fast enough postfix will spawn more smtpds to
>> handle the incoming connections and then they'll sit and wait on amavis.
>> Optimizing a complex setup as yours is a balancing act because you have
>> so many layers depending on each other.
>>
>>> Thanks so much for your help,
>>
>> Sure thing. If you know what your peak daily connection rate is, and
>> can share that, it would be helpful.
>
> I'm still adjusting it a little bit at a time, and will follow up next
> week with that info.
>
> I had thought it was related, but another issue I'm trying to figure
> out is how to prevent a single remote server from sending thousands of
> messages at a time, filling the queue, and causing significant
> delivery delays for all mail.
Is it safe to assume these thousands of messages are spam, and not legit
mail? If so, simply block the IP address(es) in a cidr table:
smtpd_recipient_restrictions
permit_mynetworks
reject_unauth_destination
check_client_access cidr:/etc/postfix/blacklist.cidr
...
/etc/postfix/blacklist.cidr
#single IP
10.10.10.10/32 REJECT high rate spammer
#class C network
10.10.10.0/24 REJECT snowshoe spammer
If it's legit mail, anvil typically takes care of rate throttling, IIRC.
Need more info. What version of Postfix are you using again?
> I thought either greylisting or a few iptables rules to throttle the
> connection rate, but I haven't been able to figure this out.
Use the above method to block known spammer IPs and other SMTP abusers.
This 'punishes' the abusers and doesn't bother other senders as
greylisting delays can.
> Thanks again for your help,
Sure thing.
--
Stan
