On 3 January 2017 at 12:37, Gerben Wierda <gerben.wie...@rna.nl> wrote: > My postfix MTA has been under a lot of DOS-like attention. Such as a botnet > sending many EHLO-requests, then password attempts: > > First a lot of: > 2017-01-03 10:09:54.964765+0100 0x6254a9 Info 0x0 > 12992 smtpd: connect from unknown[95.183.220.2] > ... > > This was actually DOS-like, 10 per second, my clients had trouble reaching my > own mail server. Later it first slowed down to 1 per second (from another IP): > > 2017-01-03 10:59:00.110590+0100 0x62947e Info 0x0 > 14260 smtpd: connect from unknown[66.150.135.9] > ... > > Then after a while a lot of: > 2017-01-03 10:59:16.760758+0100 0x629537 Info 0x0 > 14264 smtpd: connect from unknown[66.150.135.9] > ... > > It does the first part from a multitude of machines. > > I want to stop this by setting a rate limiting rule in my firewall. I was > wondering what rate to set if I want to limit access by the same IP. The > first pattern, I could stop by rate-limiting to maximally 3 per second or 180 > per minute. That is already pretty high. What MTA is going to send me 180 per > minute and still be legit? > > So, because I do not want to lose valid stuff (though there is a backup mail > server), I was wondering what a good rate limiting is to prevent these kinds > of attacks. >
For a smallish server maybe some of the settings below might help you. More info at http://www.postfix.org/TUNING_README.html and of course http://www.postfix.org/postconf.5.html. Seems to me that even if these settings were to affect a legit sender adversely, and assuming the backup mail server was down, the legit sender should just try again later, so your clients should never fail to receive legit mails - just the emails might (in theory) take a bit longer to reach them. Others may have different/better suggestions. smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 smtpd_error_sleep_time = 3s
