On Wed, Aug 18, 2004 at 02:53:40AM +0800, Jason Wong wrote:
> If you're running qmail using tcpserver then block it using tcprules. What I
> have done is modify my qmail-scanner so that after scanning it checks whether
> there was a problem with the mail. Something like this:
Too right. I don't see any point with fiddling around with KERNEL LEVEL things like iptables, when there is an application that can do the same thing for you.
In fact, why not "do it right", and instead of blocking them with tcpserver, just let rblsmtpd deal with it.
i.e. using whatever your triggering condition is (that sounds like the hardest part to me to get right...), create a local RBL record with a limited lifespan. Then ensure you are using rblsmtpd, and that it points at your local RBL server as one of it's options.
The advantage with this approach would be that it would be more scalable (as it's a network call away, you can have >1 server making use of the data).
The downside is that may be more complex than you'd like (running your own RBL DNS server). Another option would be to set RBLSMTPD within tcpserver's rules file which makes rblsmtpd set reject messages appropriately.
Sees docs for details
-- Cheers
Jason Haar
Check this Patch to ucspi-tcp. I have been using since many months. http://linux.voyager.hr/ucspi-tcp/tcpserver-limits-2004-07-25.diff
Earlier I was using tcpserver-limits-2004-01-24.diff but upgraded it to the new version a few days back.
I must say it's a wonderful patch to fight against Virus laden Bombing IPs. Bravo, Matija Nalis for your wonderful patch.
Devendra Singh
------------------ README.tcpserver-limits-patch -------------------- 20040725 adds a sleep(1) before terminating (to prevent too high load from many rapid fork()/exit() calls. It also changes the method for checking system load to getloadavg(3) instead of parsing /proc/loadavg, therefore making it working on *BSD and other non-Linux systems in addition to Linux. It also adds DIEMSG="xxx" support.
20040327 fixes a bug in 20040124 related to MAXLOAD (it would not work correctly when load was higher than 10.00)
This patch (20040725) makes tcpserver from DJB's ucspi-tcp-0.88 package (see http://cr.yp.to/ucspi-tcp.html) to modify its behavior if some environment variables are present.
The variables can be preset before starting tcpserver (thus acting as default for all connections), or, if you use 'tcpserver -x xxx.cdb', they can be set (or overridden) from xxx.cdb. If none of the variables are set, tcpserver behaves same as non patched version (except for negligible performance loss). Any or all variables can be set, as soon as first limit is reached the connection is dropped. I'd recommend using .cdb files exclusively though, as you can then modify configuration without killing tcpserver.
The variables are:
(1) MAXLOAD
maximum 1-minute load average * 100. For example, if you have line
:allow,MAXLOAD="350"
in your rules file from which you created .cdb, the connection will be
accepted only if load average is below 3.50
For this variable to have effect, you have to have readable
'/proc/loadavg' with linux-2.4.x syntax (see the source)(2) MAXCONNIP
maximum connections from one IP address. tcpserver's -c flag defines
maximum number of allowed connections, but it can be abused if
just one host goes wild and eats all the connections - no other host
would be able to connect then. If you created your .cdb with:
:allow,MAXCONNIP="5"
and run tcpserver -c 50, then each IP address would be able to have at
most 5 concurrent connections, while there still could connect 50
clients total(3) MAXCONNC
maximum connections from whole C-class (256 addresses). Extension of
MAXCONNIP, as sometimes the problematic client has a whole farm of
client machines with different IP addresses instead of just one IP
address, and they all try to connect. It might have been more useful to
be able to specify CIDR block than C-class, but I've decided to KISS. for example tcpserver -c 200, and .cdb with:
:allow,MAXCONNC="15"
will allow at most 15 host from any x.y.z.0/24 address block, while
still allowing up to 200 total connections.(4) DIEMSG
if set and one of the above limits is exceeded, this is the message
to be sent to client (CRLF is always added to the text) before terminating
connection. If unset, the connection simply terminates (after 1 sec delay)
if limit is exceeded. For example:
DIEMSG="421 example.com Service temporarily not available, closing
transmission channel"Notes:
- if a connection is dropped due to some of those variables set, it will be flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or "MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you (eg. you have a strict log parsers), don't apply that chunk of the patch.
- the idea for this patch came from my previous experience with xinetd, and need to limit incoming bursts of virus/spam SMTP connections, since I was running qmail-scanner to scan incoming and outgoing messages for viruses and spam.
When you make changes, please check that they work as expected.
Examples (for tcprules created .cdb)
(a) 192.168.:allow,MAXLOAD="1000"
:allow,MAXCONNIP="3" this would allow any connection from your local LAN (192.168.*.*
addresses) if system load is less than 10.00. non-LAN connections would
be accepted only if clients from that IP address have not already opened
more than 2 connections (as your connection would be last allowed -- 3rd)(b) 192.168.:allow
5.6.7.8:allow,MAXCONNIP="3"
1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5"
:allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable" if client connects from 192.168.*.* (ex: your LAN), it is allowed.
if it connects from 5.6.7.8 (ex: little abusive customer of yours),
it is allowed unless there are already 3active connections from 5.6.7.8
to this service
if it connects from 1.2.*.* (ex: some problematic networks which caused
you grief in the past) it will connect only if load is less than 5.0,
there is less than 5 active connections from whole C class
(1.2.*.0/24), and if that specific IP address does not already have
connection open.
in all other cases, the client will be permitted to connect if load is
less than 10.00 and client has 2 or less connections open. If load is
higher than 10.00 or there are 3 or more connections open from this
client, the message "421 example.com unavailable" will be returned to
the client and connection terminated.
Any bugs introduced are my own, do not bother DJB with them. If you find any, or have neat ideas, or better documentation, or whatever, contact me.
the latest version of the patch can be found at: http://linux.voyager.hr/ucspi-tcp/
Enjoy, Matija Nalis, mnalis-tcpserver _at_ voyager.hr ------------------ README.tcpserver-limits-patch --------------------------
______________________________________________________
Devendra Singh
IndiaMART InterMESH Limited
(Global Gateway to Indian Market Place)
B-1, Sector 8, Noida, UP - 201301, India
EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342
Fax: +91-120-2424943
http://www.indiamart.com
http://www.indiangiftsportal.com
http://www.indiantravelportal.com
______________________________________________________
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
