TL;DR can I reject incoming connection directly in postfix at a very
early state, way before HELO/EHLO handling? Right after receiving a new
TCP connection? Preferably not just REJECTing but DROPing so the other
side doesn't even know it is ignored.
Long story:
I have a system with pretty limited resources running at an environment
where I can not use kernel level firewalling.
Because I am low on resources I have to limit the total number of
smtp-connections to 8 in master.cf. Raising this value to anything below
100 wouldn't solve the problem, instead I would like to lower this if I
can fix the following problem:
There are some nasty systems hammering my smtp ports with 5-20
connections per second. They connect, take forever to timeout and
reconnect again and again and again and again and again. So all my smtp
connections are used up all the time and regular mail takes forever to
get through.
Guesswork: From what I see even smtpd_helo_restrictions doesn't quickly
get rid of the connections, my 8 smtp connections seem to be occupied by
these at least 99%. netstat -an | grep "\:25" | wc -l even shows 15-20
sessions though I guess these aren't exactly fully qualified connections.???
Like I said, no kernel based firewall, very limited resources.
What is lowest resource way of getting rid of this?
Christian Brandt
