On 9/24/2015 3:28 AM, Thomas Keller wrote: > I am using Postfix as personal mailserver, with very light traffic. > > I do, however, get a lot of open-relay attacks. > Often, these attacks come in bursts, tens of attacks within couple of > seconds, from the same IP. > > Would this situation be a good use of "rate_limits" ? > > Any suggestion how I should fine-tune the limits ? > Would the following settings make sense ? > > anvil_rate_time_unit = 60s > smtpd_client_connection_rate_limit = 10 > smtpd_client_message_rate_limit = 10 > smtpd_client_new_tls_session_rate_limit = 10 > smtpd_client_recipient_rate_limit = 10 > > Can somebody with more experience advise, please? > > thanks > Thomas >
We can't give you specific advice for what numbers to use, but the goal is that *legit* clients should never trigger the limits, otherwise horribly long message delays may occur. Those seem like awfully low limits, but if your legit mail load never exceeds that, I suppose it's OK. The other thing to consider is that postfix is well protected from abuse, especially if you use the postscreen feature, and can easily handle hundreds of rejects per second without overtaxing modest hardware. So sometimes the best thing to do is nothing. -- Noel Jones
