On Wed, Oct 05, 2022 at 05:46:39PM +0200, juan smitt wrote:
> It's written in the doc that "smtpd_client_connection_count_limit" is
> about the number of simultaneous connections from a client, but it's
> also written that "It must not be used to regulate legitimate mail
> traffic."
In other words, apply connection count limits to clients that abuse your
service (botnets and spam sources), rather than to legitimate email
senders.
> If this is not the way, then how can one regulate the simultaneous
> connections from one client? Is there a theoretical maximum?
There is at most one connection per smtpd(8) process, so the maximum
count is at most the process limit for smtpd(8) in master.cf (or
$default_process_limit if left unspecified, i.e. "-").
> Setting it to 0 means unlimited? ("To disable this feature, specify a
> limit of 0.") What side effects can be expected?
The default is 0. Legitimate email senders are not expected to "hog"
your SMTP port disproportionately from the volume of mail they send you.
They would typically limit the connection count, at least per recipient
domain, if not per receiving IP address.
> Unfortunately the service (which is made of 4 servers) is behind a
> firewall which hides the real client IPs
That's usually a bad idea (i.e. don't do that). If you're receiving
inbound email from the public Internet, I'd venture to say this is a
showstopper constraint. If this is outbound traffic from trusted
(authenticated) clients, then perhaps you can get by.
> so these 4 servers see only 1 client (the firewall) and the expected
> mail count is 4+ million per day.
That's a steady, but not particularly high message rate, I'd expect to
see peak rates of ~100 msgs/sec per server, which at a latency of
perhaps a couple of seconds (given good network connectivity) means a
couple of hundred concurrent connections. So you may need a higher
than default smtpd(8) process limit. At similar volumes, I've
had occasion to configure process limits around 900.
--
Viktor.
