Viktor Dukhovni:
> On Wed, Aug 11, 2021 at 09:48:24AM +1000, raf wrote:
>
> > If you want postfix to reject a connection immediately
> > after the first SMTP protocol error it encounters,
> > without the need to construct in advance a list of all
> > possible errors, just set smtpd_hard_error_limit = 0.
> >
> > http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit
> > (Immediately underneath smtpd_forbidden_commands)
>
> Careful there, the documentation is perhaps slightly misleading, it says
> "disconnects when the limit is exceeded", but it is in fact when the
> limit is reached. The Postfix smtpd(8) server requires the limit to be
> at least 1.
smtpd_hard_error_limit and smtpd_forbidden_commands are tools to
drop connections from bad clients, but they have different levels
of false positives.
smtpd_hard_error_limit does not distinguish between protocol error,
dictionary attack (bad auth, user unknown) or other error. There
will be false positives when you set a permanent low limit. By
default, Postfix uses an error limit of 1 only temporarily, under
conditions of overload. Good clients are expected to come back
later.
In contrast, smtpd_forbidden_commands targets specific protocol
violations (HTTP, headers), therefore it can disconnect immediately
without risk of false positives.
Wietse
