RE: error_limits fine tuning

Thu, 26 Jun 2014 01:53:38 -0700 

I run this combination (postfix & iptables):

smtpd_soft_error_limit = ${stress?1}${stress:3}
smtpd_hard_error_limit = ${stress?1}${stress:5}
smtpd_delay_reject = ${stress?no}${stress:yes}
smtpd_client_connection_count_limit = ${stress?3}${stress:6}
smtpd_client_connection_rate_limit = ${stress?30}${stress:60}
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
postscreen_greet_wait = ${stress?1}${stress:8}s

iptables -A INPUT -p tcp --syn -m multiport --dports 25,465,587 ! -i lo -m
state --state NEW -m connlimit --connlimit-above 25 -j DROP
iptables -A INPUT -p tcp --syn -m multiport --dports 25,465,587 ! -i lo -m
state --state NEW -m connlimit --connlimit-above 50 --connlimit-mask 24 -j
DROP
iptables -A INPUT -p tcp --syn -m multiport --dports 25,465,587 ! -i lo -m
state --state NEW -m connlimit --connlimit-above 250 --connlimit-mask 16 -j
DROP
iptables -A INPUT -p tcp --syn -m multiport --dports 25,465,587 ! -i lo -m
state --state NEW -m connlimit --connlimit-above 500 --connlimit-mask 8 -j
DROP


In addition, I customized fail2ban to block any IP that bothers my eyes in
mail.log.


-----Original Message-----
From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of Martin Vegter
Sent: Thursday, June 26, 2014 11:26 AM
To: postfix-users@postfix.org
Subject: error_limits fine tuning

Hello,
I am wondering why the default error limits in Postfix are set so high:

    smtpd_soft_error_limit (default: 10)
    smtpd_hard_error_limit (default: 20)

I have changed them to "3" and "${stress?1}${stress:5}" respectively, and my
servers is still being flooded with "relay access denied".

I am wondering whether it is advisable to lower the limits still. I am
asking, because when I analyze my logs, I only see spammers being
disconnected due to errors.

Are there cases where legitimate users make many errors?
What if I set the error limits very low:

    smtpd_soft_error_limit=1
    smtpd_hard_error_limit=3

Would that have unintended consequences?

And speaking of "relay access denied", what is the recommended way to fight
"relay access denied" attacks?

I would be happy if other people could share their experience

Thanks,
Martin

Reply via email to