On 8/5/2013 7:15 AM, Charles Marcus wrote: > On 2013-08-04 7:30 PM, wie...@porcupine.org (Wietse Venema) > <wie...@porcupine.org (Wietse Venema)> wrote: >> Charles Marcus: >>>> We are set up for performance with VRFY probes and by modifying >>>> your postfix config file so postfix will not nave a performance >>>> issue by setting postfix option smtpd_soft_error_limit to be larger >>>> than smtpd_hard_error_limit. >> >> That is nonsense, as demonstrated below: >> >> # postconf smtpd_hard_error_limit=1 smtpd_soft_error_limit=2 >> # postfix reload >> # telnet 127.0.0.1 smtp >> Trying 127.0.0.1... >> Connected to localhost. >> Escape character is '^]'. >> 220 hades.porcupine.org ESMTP Postfix >> hello foo >> 502 5.5.2 Error: command not recognized >> 421 4.7.0 hades.porcupine.org Error: too many errors >> Connection closed by foreign host. >> >> These people never tested this recommendation, just like they >> never tested their software against Postfix or else they would >> have been aware of the smtpd_junk_command_limit feature. >> >> It should be safe to dumb down Postfix defenses, provided that >> no-one else can connect to your SMTP server. > > Thanks Wietse, > > After your hint I read up on this command at: > > http://www.postfix.org/STRESS_README.html#legacy > > but I'm still unsure how to implement this properly to address this > particular issue... > > Would it be to lower the junk setting to 1? Would I also need to > lower the others (timeout and hard_error_limit)? Or maybe use > different values?
Set those three limits to 100 or higher. Those controls are intended to prevent random clients from wasting your time. Since you don't allow connections from random clients, it's safe to increase them. # main.cf smtpd_hard_error_limit = 100 smtpd_soft_error_limit = 100 smtpd_junk_command_limit = 100 > >> However given the poor quality assurance with respect to Postfix, >> I would be suspicious about the quality assurance of their code. I'm guessing their advice assumed you use the default setting for smtpd_hard_error_limit. I'm also willing to accept that they could offer effective filtering services even if they aren't postfix experts. -- Noel Jones
