Re: anvil statistics logging

Fourhundred Thecat skrev den 2019-10-23 05:56: statistics: max connection rate 1/60s for statistics: max connection count 1 for statistics: max message rate 1/60s for statistics: max recipient rate 1/60s statistics: max cache size Can I still use these limits, but suppress the statist

Re: anvil statsistics

On 05.10.17 12:28, Jorge Huerga wrote: Hi, there is any way, procedure or interface to ask anvil for the statistics that it uses to gather? it produces statistics for connection rate and connection count by default. I have set: smtpd_client_message_rate_limit=1000 smtpd_client_recipient_rate_l

Re: anvil statsistics

Jorge Huerga: > Hi, there is any way, procedure or interface to ask anvil for the > statistics that it uses to gather? > > thanks in advance! If it is not promised in the anvil manpage, then it is not supported. Wietse

Re: anvil statistics log entry syntax

On Wed, Dec 10, 2014 at 03:49:18PM -0500, Wietse Venema wrote: > > Sure, but (perhaps I am missing something) "service:client" with > > "client" an "abbreviated" IPv6 address is subject to collisions > > when some services end in a numeric ":port" and others do not. > > There can be no TCP servic

Re: anvil statistics log entry syntax

Viktor Dukhovni: > On Wed, Dec 10, 2014 at 02:27:14PM -0500, Wietse Venema wrote: > > > In the ``service:client'' counter ID, the service is the name in > > the master.cf first column. The anvil service does not require that > > this has a port (but TCP does). > > Sure, but (perhaps I am missing

Re: anvil statistics log entry syntax

On Wed, Dec 10, 2014 at 02:27:14PM -0500, Wietse Venema wrote: > In the ``service:client'' counter ID, the service is the name in > the master.cf first column. The anvil service does not require that > this has a port (but TCP does). Sure, but (perhaps I am missing something) "service:client" wit

Re: anvil statistics log entry syntax

Viktor Dukhovni: > On Wed, Dec 10, 2014 at 01:26:42PM -0500, Wietse Venema wrote: > > > The anvil service stores information under a key of service:client. > > Apparently, your master.cf service is [2001:1470:ff80::25]:10088, > > and in this case the client is 2001:1470:ff80:88::80:c. > > What if

Re: anvil statistics log entry syntax

On Wed, Dec 10, 2014 at 01:26:42PM -0500, Wietse Venema wrote: > The anvil service stores information under a key of service:client. > Apparently, your master.cf service is [2001:1470:ff80::25]:10088, > and in this case the client is 2001:1470:ff80:88::80:c. What if Mark also had a service entry

Re: anvil statistics log entry syntax

Mark Martinec: > Just came across the following logged message which failed to be parsed > by our log parser: > > postfix/anvil[29988]: statistics: max message rate 4/60s for > ([2001:1470:ff80::25]:10088:2001:1470:ff80:88::80:c) at Dec 8 19:26:44 > > Btw, 10088 is a port number, not part of an

Re: anvil

On 25/07/2012 23:00, Stan Hoeppner wrote: On 7/25/2012 8:02 AM, Tom Kinghorn wrote: I am trying to gets stats so that I can tweak: smtpd_client_connection_rate_limit smtpd_client_message_rate_limit smtpd_client_recipient_rate_limit Or you could use postfwd. But in practice I don't see wh

Re: anvil

On 7/25/2012 8:02 AM, Tom Kinghorn wrote: > I am receiving massive amounts of incoming mail (freakin status updates) > from facebookmail.com and was hoping to check the connection rate via > anvil in the logs. > However, there are no suck entries in the log. > I am trying to gets stats so that I

Re: anvil

Tom Kinghorn: > Good afternoon > > Apologies for the question but it is baffling me. > does Anvil record all connections? As documented anvil counts the events within a time window. Once the end of the time window is reached, the counters are reset to zero and the next time window begins. > I am

Re: anvil errors

On Tue, 2010-12-07 at 19:49:53 -0500, Jack wrote: > I am getting the following anvil errors, but thought that I was using > anvil to control spamassasin performance. > > I disabled spamassasin recently and commented out anvil and other > settings which were thought to be to support spamassasin.

Re: anvil stats/restictions based on SASL username?

Wietse Venema: > > This got me wondering if there's any easy way to have anvil report > > stats based on the authenticated SASL username, in addition to the > > remote IP address? > > Not at the moment, but a policy daemon could notice that (too) many > connections use the same sasl_username attri

Re: anvil stats/restictions based on SASL username?

On 27/10/10 02:21, Cassidy Larson wrote: > This got me wondering if there's any easy way to have anvil report > stats based on the authenticated SASL username, in addition to the > remote IP address? > > This would help me prevent/monitor potential addresses that are being > used by a botnet system

OT: Re: anvil stats/restictions based on SASL username?

> Cassidy Larson: >> We had an incident today where we had a user with a compromised >> machine. Their email/pass made it back to some botnet which proceeded >> to SASL auth to our mail servers and send numerous spam messages from >> many different hosts. The spamming hosts didnt trigger our >> sm

Re: anvil stats/restictions based on SASL username?

Cassidy Larson: > We had an incident today where we had a user with a compromised > machine. Their email/pass made it back to some botnet which proceeded > to SASL auth to our mail servers and send numerous spam messages from > many different hosts. The spamming hosts didnt trigger our > smtpd_clie

Re: Anvil logs explained

* Erik Logtenberg : > Hi, > > I have a small question about anvil: every now and then it logs three > lines about statistics. I don't quite understand what they mean. This is > an example: > > 1/60s for (mx.mydomain.eu:smtp:168.100.1.7) at Mar 17 00:27:28 > Mar 17 00:30:49 mx postfix/anvil[28510]

Re: Anvil Syntax ?

Steve: > Hi, > > I'm running through the brilliant 'Book of Postfix' and running into > some confusion with anvil/rate control - specifically syntax. around > page 384 > > smtpd_client_connection_limit_exceptions = > smtpd_client_connection_rate_limit = 3 > smtpd_client_connection_count_limit =

Re: Anvil Syntax THANKS

On Wed, 2009-06-24 at 11:07 +0200, Ralf Hildebrandt wrote: > * Steve : > > > smtpd_client_event_limit_exceptions = my_networks > > smtpd_client_event_limit_exceptions = $mynetworks > > > or > > > > smtpd_client_event_limit_exceptions = my_networks, 1.2.3.4, 5.6.7.8 > > smtpd_client_event_lim

Re: Anvil Syntax ?

* Steve : > smtpd_client_event_limit_exceptions = my_networks smtpd_client_event_limit_exceptions = $mynetworks > or > > smtpd_client_event_limit_exceptions = my_networks, 1.2.3.4, 5.6.7.8 smtpd_client_event_limit_exceptions = $mynetworks, 1.2.3.4, 5.6.7.8 > and that will be good? Yep You

Re: Anvil Syntax ?

On Wed, 2009-06-24 at 10:59 +0200, Ralf Hildebrandt wrote: > * Ralf Hildebrandt : > > > > Which makes me wonder what the right syntax should be. Has the syntax > > > changed since the box was produced or is it going to change in the near > > > future? > > > > The former. The concept stays the sam

Re: Anvil Syntax ?

* Ralf Hildebrandt : > > Which makes me wonder what the right syntax should be. Has the syntax > > changed since the box was produced or is it going to change in the near > > future? > > The former. The concept stays the same, though. Reason: When the book was written, anvil was only in the snap

Re: Anvil Syntax ?

* Steve : > Hi, > > I'm running through the brilliant 'Book of Postfix' and running into > some confusion with anvil/rate control - specifically syntax. around > page 384 > > smtpd_client_connection_limit_exceptions = > smtpd_client_connection_rate_limit = 3 > smtpd_client_connection_count_limit

Re: anvil

> On Thu, Jun 11, 2009 at 01:34:15PM +0100, Simon Jones wrote: > >> Thanks guys, fail2ban looks great - config is being a bitch though but >> i have anvil working now! > > Presumably as an anti-DoS service. It is not an anti-spam feature, > and should not be used that way. The anti-DoS use-case is

Re: anvil

On Thu, Jun 11, 2009 at 01:34:15PM +0100, Simon Jones wrote: > Thanks guys, fail2ban looks great - config is being a bitch though but > i have anvil working now! Presumably as an anti-DoS service. It is not an anti-spam feature, and should not be used that way. The anti-DoS use-case is to prevent

Re: anvil

2009/6/11 Simon Jones : > 2009/6/10 Ralf Hildebrandt : >> * Simon Jones : >> >>> This is the part I'm missing, how do I enable the shit flinger? >> >> You COULD use smtp_source >> >> OR >> >> your could set ridiculous low limits (1/60s) and then test it manually using >> telnet. >> >> Keep in mind

Re: anvil

2009/6/10 Ralf Hildebrandt : > * Simon Jones : > >> This is the part I'm missing, how do I enable the shit flinger? > > You COULD use smtp_source > > OR > > your could set ridiculous low limits (1/60s) and then test it manually using > telnet. > > Keep in mind, though: > smtpd_client_event_limit_e

Re: anvil

* Simon Jones : > This is the part I'm missing, how do I enable the shit flinger? You COULD use smtp_source OR your could set ridiculous low limits (1/60s) and then test it manually using telnet. Keep in mind, though: smtpd_client_event_limit_exceptions = $mynetworks so the test must be pe

Re: anvil

2009/6/10 Ralf Hildebrandt : > * Simon Jones : > >> > http://www.postfix.org/TUNING_README.html#conn_limit > >> ok thanks - I added those to main.cf > > What EXACTLY did you add? > >> but it still doesn't do anything, > > Of course it doesn't do anything per se! > > Shit needs to hit the fan before

Re: anvil

* Ralf Hildebrandt : > Shit needs to hit the fan before something happens. Did you throw enough > shit in the general direction of the fan to faicilitaty a hitting of the > fan? If the shit doesn't hit the fan, Postfix will log some info - in my case every 10 minutes: Jun 10 15:40:03 mail postfi

Re: anvil

* Simon Jones : > > http://www.postfix.org/TUNING_README.html#conn_limit > ok thanks - I added those to main.cf What EXACTLY did you add? > but it still doesn't do anything, Of course it doesn't do anything per se! Shit needs to hit the fan before something happens. Did you throw enough shi

Re: anvil

> I have postfix 2.3.3 installed and have just found some info on > Anvil(8) which looks like it should be good as part of my anti-spam implementation. I can see anvil in /usr/libexec/postfix/ but when i enable the config within main.cf smtpd_error_sleep_time = 1s and grep on maillog there's no e

Re: anvil

Simon Jones wrote: > ok thanks - I added those to main.cf but it still doesn't do anything, > I have googled - oooh yes I have googled something good but it still > doesn't make sense how to get postfix working with anvil, there's > plenty of info on config but how do i get pfx to pass info to anvi

Re: anvil

2009/6/10 Ralf Hildebrandt : > * Simon Jones : > >> > That does not enable anvil. > >> can you point me to some docs on how to do it perhaps?  would be much >> appreciated, this is something i cam across today so apologies for >> coming across as a complete noob... > > http://www.postfix.org/TUNING

Re: anvil

* Simon Jones : > > That does not enable anvil. > can you point me to some docs on how to do it perhaps? would be much > appreciated, this is something i cam across today so apologies for > coming across as a complete noob... http://www.postfix.org/TUNING_README.html#conn_limit -- Ralf Hildebr

Re: anvil

2009/6/10 Ralf Hildebrandt : > * Simon Jones : >> Hi folks, >> >> I have postfix 2.3.3 installed and have just found some info on >> Anvil(8) which looks like it should be good as part of my anti-spam >> implementation.  I can see anvil in /usr/libexec/postfix/ but when i >> enable the config withi

Re: anvil

* Simon Jones : > Hi folks, > > I have postfix 2.3.3 installed and have just found some info on > Anvil(8) which looks like it should be good as part of my anti-spam > implementation. I can see anvil in /usr/libexec/postfix/ but when i > enable the config within main.cf smtpd_error_sleep_time = 1

Re: anvil max connection count

Leutnant Steiner wrote: hm, ok i checked Mar 24 17:46:21 womdsp postfix/anvil[14773]: statistics: max connection count 1 for (smtp:194.121.2.5) at Mar 24 17:43:01 Mar 24 17:46:21 womdsp postfix/anvil[14773]: statistics: max cache size 1 at Mar 24 17:43:01 This is just an information message

Re: anvil max connection count

On Tuesday 24 March 2009 17:59:24 Leutnant Steiner wrote: > Mar 24 17:46:21 womdsp postfix/anvil[14773]: statistics: max connection > count 1 for (smtp:194.121.2.5) at Mar 24 17:43:01 > Mar 24 17:46:21 womdsp postfix/anvil[14773]: statistics: max cache size 1 > at Mar 24 17:43:01 > > this would be

Re: anvil max connection count

Leutnant Steiner wrote: > Mar 24 13:57:05 womdsp postfix/smtpd[12654]: A83409C8092: > client=m1smtp01.kmweg.de [194.121.2.5] > Mar 24 13:57:36 womdsp postfix/smtpd[12654]: disconnect from > m1smtp01.kmweg.de [194.121.2.5] > Mar 24 14:00:56 womdsp

Re: anvil max connection count

hm, ok i checked Mar 24 17:46:21 womdsp postfix/anvil[14773]: statistics: max connection count 1 for (smtp:194.121.2.5) at Mar 24 17:43:01 Mar 24 17:46:21 womdsp postfix/anvil[14773]: statistics: max cache size 1 at Mar 24 17:43:01 this would be a server which i would like to recieve mail from !

Re: anvil max connection count

On Tue, Mar 24, 2009 at 05:34:20PM +0100, Leutnant Steiner wrote: > i want to make sure everything is accepted by this mailserver, > > but sometimes an email still gets delivered to the old server wich is mx 20 > in dns now, i thought anvil-rejection is the cause. Postfix logs all rejected mail.

Re: anvil max connection count

i want to make sure everything is accepted by this mailserver, but sometimes an email still gets delivered to the old server wich is mx 20 in dns now, i thought anvil-rejection is the cause. thank you 2009/3/24 Victor Duchovni > On Tue, Mar 24, 2009 at 03:18:37PM +0100, Leutnant Steiner wrote:

Re: anvil max connection count

On Tue, Mar 24, 2009 at 03:18:37PM +0100, Leutnant Steiner wrote: > i'm a little confused about the effect of: > smtpd_client_connection_count_limit (default: 50) > smtpd_client_connection_rate_limit (default: 0)* What problem are you trying to solve? Are you confused by the logs, with default se

Re: anvil limiting for subnets

Ondrej Holecek: > hello, > > is there a possibility to limit connection count for whole subnet? > > when I have: > smtpd_client_connection_count_limit = 2 > > it limits each IP to max 2 connections, but when attacker has /24 > subnet, he can easily create 508 > connections If the attacker has a

Re: anvil - dynamical limits

Andre H?bner: > Hello, > > i try to find further infos for anvil-service and how to use it. > In my Maillogs i see some statistics written by anvil but i do not > understand the plan to use anvil to do a client based session/request > control. anvil is not a policy tool. It is a safty mechanism

Re: anvil and ip exclusions

http://www.postfix.org/postconf.5.html#smtpd_client_event_limit_exceptions -- Thanks, Jordi Espasa Clofent

Re: anvil and ip exclusions

Jake Vickers: > Is there a way to exclude an IP/range from anvil? I have a mail server > where 95% of the users are on the same IP (not local to mail server) and > they're triggering anvil 10+ times a day for that IP address. > Or is there a different way to work around this? See: http://www.po

Re: anvil(8) and RBLs

On Mon, October 13, 2008 11:03, Jordi Espasa Clofent wrote: > smtpd_client_restrictions = reject_unlisted_recipient > permit_mynetworks, > permit_sasl_authenticated, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client bl.spamcop.net, > reject_rbl_client list.dsbl.org

Re: anvil(8) and RBLs

Jordi Espasa Clofent a écrit : > Hi all, > > I use RBLs as you can see: > > smtpd_client_restrictions = >permit_mynetworks, >permit_sasl_authenticated, >reject_rbl_client zen.spamhaus.org, >reject_rbl_client bl.spamcop.net, >reject_rbl_client list.dsbl.org and I guess you check

Re: anvil(8) and RBLs

* Jordi Espasa Clofent <[EMAIL PROTECTED]>: > Hi all, > > I use RBLs as you can see: > > smtpd_client_restrictions = >permit_mynetworks, >permit_sasl_authenticated, >reject_rbl_client zen.spamhaus.org, >reject_rbl_client bl.spamcop.net, >reject_rbl_client list.dsbl.org > > Moreo

Re: anvil logging

Mark Watts wrote: My "problem" can be solved by grep, but since anvil's statistics are of no immediate use to me, I see little point in filling my logs with them. These are not your logs. These are system logs. are you "System"? :) you can have your log rotation program to remove what you d

Re: anvil logging

Mark Watts writes: My "problem" can be solved by grep, but since anvil's statistics are of no immediate use to me, I see little point in filling my logs with them. Perhaps you could take a look at syslog-ng. I believe it is able to filter out lines based on expressions. Or pretty much any sys

Re: anvil logging

On Monday 01 September 2008 14:21:56 Wietse Venema wrote: > Mark Watts: > > Is there a mechanism to reduce/stop the logging that anvil does? > > No. Anvil logs something when it terminates (Postfix is not receiving > mail), and it logs something every 10 minutes or so when Postfix > is busy. > > >

Re: anvil logging

Mark Watts: > Is there a mechanism to reduce/stop the logging that anvil does? No. Anvil logs something when it terminates (Postfix is not receiving mail), and it logs something every 10 minutes or so when Postfix is busy. > I have a low-traffic mail server and I'd prefer anvil to not log anythin