On 4/3/2012 10:27 AM, Wietse Venema wrote: > Stan Hoeppner: >> Setting smtpd_client_connection_count_limit also sets >> postscreen_client_connection_count_limit if you're using postfix 2.8 and >> postscreen. Thus the limit is enforced before connections are handed to >> smtpd processes, so you don't needlessly eat up additional smtpds. > > Note that postscreen either blocks a client or hands it off to a > Postfix SMTP server process. The connection count limit in postscreen > applies only to the SMTP clients that are (not yet) handed off to > an SMTP server process. Once the hand-off is done, postscreen does > not know when an SMTP session ends, so the session no longer counts > towards the postscreen connection count limit. The code was tricky > enough that I did not want to introduce a postscreen-to-anvil > dependency.
Ahh, thanks for the clarification Wietse. The smtpd_client_connection_count_limit is still enforced against post hand off client connections though, correct? > The postscreen connection count limit is still effective for "hit > and run" spambots that make a burst of connections at approximately > the same time. Such clients will exceed the connection limit while > waiting for the pregreet timer to expire, or for DNS[BW]L lookups > to complete. So the postscreen connection limit is good for slowing bots, no surprise since bots are the postscreen target, but the smtpd connection limit is still appropriate/needed for slowing legit bulk mailer clients, assuming one chooses to use it vs the other anvil based restrictions. -- Stan
