On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote: > On 7/23/2012 4:16 PM, CSS wrote: > >> I'd like to take some measures to limit what an authenticated sender can do >> but not limit legitimate use. > > See: > http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit > > You would apply this to your submission service, eg: > > 587 inet n - n - - smtpd > -o smtpd_enforce_tls=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_connection_rate_limit=1 > > This limits spammers and legit users to 1 msg/min, 60 msgs per hour. > Postfix is not psychic. > > This may be a problem for roaming users who send batches of mails when > they get a connection--10 msgs takes 10 minutes. Thus, as with > anything, some analysis and [re]tuning will be required. If you trust > some users to never have their acct compromised, you can always create > multiple submission services on different ports and have different > limits for different sets of users, or even no limits for some. > > Not a perfect solution, but better than what you have now.
I'm looking at "policyd2/cluebringer" as well, but it's non-intuitive to say the least. Install is easy, hooking in to postfix is easy, but there's a huge lack of howto docs on configuring the actual policies for specific use cases. The quota module looks great, but getting data into the config to delineate internal vs. external domains (and what about a sasl-authenticated user sending from another domain?) is quite challenging. If I can cobble this thing together, the quota module offers things like messages per day or per hour, which is a fairly reasonable way to restrict customers. Are there any other specific policy daemons I've missed that deal explicitly with rate-limiting? It seems like the internet as whole would certainly benefit from a dead-simple policy daemon that could thwart the attempts of spammers using hijacked credentials to spew their junk. Thanks, Charles > > -- > Stan >
