Stan Hoeppner:
> Setting smtpd_client_connection_count_limit also sets
> postscreen_client_connection_count_limit if you're using postfix 2.8 and
> postscreen. Thus the limit is enforced before connections are handed to
> smtpd processes, so you don't needlessly eat up additional smtpds.
Note that postscreen either blocks a client or hands it off to a
Postfix SMTP server process. The connection count limit in postscreen
applies only to the SMTP clients that are (not yet) handed off to
an SMTP server process. Once the hand-off is done, postscreen does
not know when an SMTP session ends, so the session no longer counts
towards the postscreen connection count limit. The code was tricky
enough that I did not want to introduce a postscreen-to-anvil
dependency.
The postscreen connection count limit is still effective for "hit
and run" spambots that make a burst of connections at approximately
the same time. Such clients will exceed the connection limit while
waiting for the pregreet timer to expire, or for DNS[BW]L lookups
to complete.
Wietse
