Hi Sebastian, I have multiple applications lined up to use the service and a couple of them are quite capable of generating bulk mail (eg. moodle forums with six thousand enrolled students in a course). These applications are built and managed by multiple teams and consequently I cannot exercise a lot of control on how they generate emails at the source.
I have not received any other instructions from Amazon besides ensuring we don't send more than 14 emails per second to SES. I will still confirm with the Amazon representative about using a rate limiter. Thank you for bringing this possible issue to notice. On Thursday 30 June 2016 12:59 PM, Sebastian Nielsen wrote: > I think Amazon will detect this type of behaviour, eg accepting unlimited > rate, and then "squeezing" it through amazon's rate limit system. Its > possible because there is timestamps and other information that can be used > to deduce if a mail has been put through a automatic rate limiter to bypass a > manual rate limit requirement. > > That’s why Amazon doesn't automatically rate-limit your mail themselves like > many ISP system do. I guess they would limit your account or detect too high > rate and then outright reject the mail instead. And this means they can even > detect this type of behavior, by checking timestamps and then see that the > mails were created with a rate more than 14 per second, but then trickled > through the rate system. > > 14 mails per second is a astronomical, extremely high rate. Not even a > standard password reset system for a fairly popular site wont come up in that > types of rates. Yeah, a mailing list comes up in these rates naturally, but > amazon have policies against mailing lists run from their resources too. > > I think Amazon wants you to use other limits to prevent producing mails at a > higher rate than 14 per second. Eg rate limit at the source. > > -----Ursprungligt meddelande----- > Från: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] För Rohit Shriwas > Skickat: den 30 juni 2016 09:11 > Till: postfix-users@postfix.org; postfix-users@postfix.org > Ämne: Configuration for rate limited Amazon SES relay [invalid signature!] > > Hello everyone, > > I have an account with Amazon SES for use by multiple services. However, > Amazon requires me to limit the rate at which emails are dispatched to > 14 per second. To this end, I've setup an SMTP relay using Postfix with the > intent of rate limiting email dispatch locally before attempting to connect > to SES. I _think_ I've got it right but I would really appreciate opinions, > and possible corrections from the community as well. > > Here is the configuration I have right now, I think it should limit outgoing > mail to 10 per second. Please advise. > > ##### Postfix MTA configuration for Amazon SES relay ##### > > # SMTP Client Configuration > smtp_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > > smtp_tls_ciphers = high > smtp_tls_security_level = verify > smtp_tls_mandatory_ciphers = high > > # Amazon SES Relay SASL Auth > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd > smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = > noanonymous relayhost = [email-smtp.us-east-1.amazonaws.com]:587 > > # Concurrency and rate limits > default_destination_rate_delay = 1s > default_destination_concurrency_failed_cohort_limit = 10 > default_destination_recipient_limit = 1 > > # SMTPD Server Configuration > smtpd_tls_ciphers = high > smtpd_tls_cert_file = /etc/postfix/ssl/sslcert.__comodo-chain.crt > smtpd_tls_key_file = /etc/postfix/ssl/sslcert.__comodo.key > smtpd_tls_CAfile = $smtp_tls_CAfile > smtpd_tls_security_level = encrypt > smtpd_tls_mandatory_ciphers = high > message_size_limit = 2000000 > > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > > smtpd_relay_restrictions = > reject_unauth_pipelining, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, > permit_auth_destination, > permit_sasl_authenticated, > reject > > smtpd_etrn_restrictions = permit_auth_destination, reject > > >
signature.asc
Description: OpenPGP digital signature
