Thanks Victor and Benny. I think the section you mentioned is useful to
me.
Per-account access control
Postfix can implement policies that depend on the SASL login name
(Postfix 2.11 and later). Typically this is used to HOLD or REJECT mail
from accounts whose credentials have been compromised
On Thu, Aug 22, 2024 at 08:44:33PM +0800, horizon--- via Postfix-users wrote:
> I am sorry that I have asked this question on dovecot list, but I got no
> answer there. So I am forwarding this to postfix list hoping I can get your
> help.
Is it *authentication* you want to disable, or the right t
horizon--- via Postfix-users skrev den 2024-08-22 14:44:
u...@mail.com:{CRYPT}$::userdb_quota_rule=*:bytes=1G
How can I limit some people can auth with postfix submission (port
587), and some others can't?
set password to some random only domain owner knows ?
or
https://www.postfix.
I am sorry that I have asked this question on dovecot list, but I got no
answer there. So I am forwarding this to postfix list hoping I can get
your help.
Thank you.
Original Message
Subject: limits to auth of submission
Date: 2024-08-21 18:59
From: horizon--- via dovecot
On Tue, 2 Jan 2024 at 13:13, Matus UHLAR - fantomas via Postfix-users <
postfix-users@postfix.org> wrote:
> Hello,
>
> http://www.postfwd.org/ratelimits.html
>
> Of course, if there is any other tool that can do that, I'll look.
>
>
> However, I need to find th
EU
This is limitations only for outgoing
W dniu 2.01.2024 o 13:12, Matus UHLAR - fantomas via Postfix-users pisze:
Hello,
due to spam issue I'm trying to implement rate limits for outgoing mail.
I looked at postfwd and its rate limit looks promising, supporting
different limits p
Hello,
due to spam issue I'm trying to implement rate limits for outgoing mail.
I looked at postfwd and its rate limit looks promising, supporting different
limits per IP/sasl_user for internal network, webmail:
http://www.postfwd.org/ratelimits.html
Of course, if there is any other
Viktor Dukhovni:
> On Wed, Jan 18, 2023 at 12:45:02AM +, Sean Hennessey wrote:
>
> > Thanks,I did realize after I sent the email that what was probably
> > happening was the delay was the overiding controller, and not working
> > as in addition as I thought it would.
>
> Once you have multi-s
On Wed, Jan 18, 2023 at 12:45:02AM +, Sean Hennessey wrote:
> Thanks,I did realize after I sent the email that what was probably
> happening was the delay was the overiding controller, and not working
> as in addition as I thought it would.
Once you have multi-second delays, concurrency is po
t: Re: Understanding concurrency limits
Sean Hennessey:
> In master.cf
> smtp-tar unix -- y - 1 smtp
> -o syslog_name=postfix/$service_name
>
> In main.cf
> smtp-tar_destination_rate_delay = 600s
RTFM, this puts 600s delay between deliver
Sean Hennessey:
> In master.cf
> smtp-tar unix -- y - 1 smtp
> -o syslog_name=postfix/$service_name
>
> In main.cf
> smtp-tar_destination_rate_delay = 600s
RTFM, this puts 600s delay between deliveries as in:
deliver one meessage
wait 600s
deliver one mee
In master.cf
smtp-tar unix -- y - 1 smtp
-o syslog_name=postfix/$service_name
In main.cf
smtp-tar_destination_rate_delay = 600s
smtp-tar_destination_concurrency_limit = 3
smtp-tar_destination_recipient_limit = 2
smtp-tar_initial_destination_concurrency=2
I
On 20 Dec 2018, at 11:08, Viktor Dukhovni wrote:
> Viruses can come from any source.
OK, But I am pretty sure I’ve never seen a virus from mail chimp.
I don’t have a large enough load to worry about not scanning, but if I did the
first thing I would stop scanning is gmail incoming and the larg
> On Dec 20, 2018, at 1:04 PM, @lbutlr wrote:
>
> Am I wrong in thinking that doing an A/V scan on mail from Mailchimp and/or
> cosntantcontact is a waste of time?
>
> They are not sending viruses. Hell, they are not even sending spam.
Viruses can come from any source. And message origin auth
On 18 Dec 2018, at 16:58, Viktor Dukhovni wrote:
> The solution is perhaps in part to throw some more CPU at the
> problem, but alternatively, assuming that mailchimp et. al.
> are not abusing reasonable concurrency limits, you can reduce
> the impedance mismatch by increasing the i
tency, and can accept mail quickly, but
at the same concurrency, the filter stage has higher (CPU-bound)
latency, and noticeably lower throughput.
The solution is perhaps in part to throw some more CPU at the
problem, but alternatively, assuming that mailchimp et. al.
are not abusing reasonable concur
Hi,
On Mon, Dec 17, 2018 at 12:18 PM Viktor Dukhovni
wrote:
>
> On Mon, Dec 17, 2018 at 10:47:02AM -0500, Alex wrote:
>
> > The original reason I had set it in the first place was to try and control
> > the amount of email the bulk senders like constantcontact, mailchimp, etc,
> > could send at o
bscribe". If you're receiving unwanted email
from them, you or your users should unsubscribe.
Postfix rate limits are not an anti-spam mechanism, rather they are
safety mechanisms for accidental DoS by one or a few clients when
buggy software sends email in a tight loop.
--
Viktor.
Hi,
On Sat, Dec 15, 2018 at 1:42 PM Viktor Dukhovni
wrote:
> > On Dec 14, 2018, at 4:27 PM, Allen Coates
> > wrote:
> >
> > I have a hunch that this is an excess count.
>
> It is not.
The issue was that I had one mail host with the parameter set to 5
while the one I checked did not have it set
> On Dec 14, 2018, at 4:27 PM, Allen Coates wrote:
>
> I have a hunch that this is an excess count.
It is not.
--
Viktor.
On 14/12/2018 06:13, Viktor Dukhovni wrote:
>
>
>> On Dec 13, 2018, at 8:25 PM, Alex wrote:
>>
>> We had a Mimecast user report today that their mail was being rejected
>> with a 4.7.0 "too many connections" error. This is a "soft" error, in
>> that the mail client will later attempt to resen
> On Dec 13, 2018, at 8:25 PM, Alex wrote:
>
> We had a Mimecast user report today that their mail was being rejected
> with a 4.7.0 "too many connections" error. This is a "soft" error, in
> that the mail client will later attempt to resend, correct?
Should be.
> Isn't the default of 50 con
Hi,
We had a Mimecast user report today that their mail was being rejected
with a 4.7.0 "too many connections" error. This is a "soft" error, in
that the mail client will later attempt to resend, correct?
Isn't the default of 50 concurrent connections sufficient for most
environments? Is there re
Chris Boylan:
>
> > You mean smtpd_recipient_limit? With 10 valid addresses, it is
> > unlikely but still possible to get mail with more recipients, when
> > address extensions are in use (the same user effectively has an
> > unlimited number of email addresses).
> You mean smtpd_recipient_limit? With 10 valid addresses, it is
> unlikely but still possible to get mail with more recipients, when
> address extensions are in use (the same user effectively has an
> unlimited number of email addresses).
I was thinking about the reverse situation - preventing s
Chris Boylan:
> We're going to do a mailing to our customers this week (2000+) and I'm trying
> to make sure our configuration, which is new, is set up appropriately.
>
> The email is coming from outlook as a list of lists apparently so it'll show
> up on the submission port as a large Bcc list.
We're going to do a mailing to our customers this week (2000+) and I'm trying
to make sure our configuration, which is new, is set up appropriately.
The email is coming from outlook as a list of lists apparently so it'll show
up on the submission port as a large Bcc list. Looks like I want to
tem
n MSA and mailstore front-end MTA that
are not the same as your Internet-facing inbound gateway. This
allows a larger message size for purely internal email.
You can also operate separate inbound and outbound MTAs (or just
Postfix instances) with separate message size limits, if it somehow
makes
Looking at message_size_limit and mailbox_size_limit, if I want to allow
internal users the ability to send 100M emails it seems like 1) applies to all
messages both in-bound and out-bound and 2) I'll need to increase
mailbox_size_limit to what factor of message_size_limit?
I am sure it is possible to simplify the anvil
code a lot, and thereby make it more general so that it can also
implement per sasl-user rate limits, and even implement per-sender
or per-recipient rate limits. But that will have to be later.
ftp://ftp.porcupine.org/mirrors/postfix-release/experimenta
That makes sense. Thanks, I'll try to get this set up.
On Mon, Mar 16, 2015 at 11:31:28AM -0500, Brainslug wrote:
> But outbound email originating on the mail server itself (users sending
> mail via 'mail -s "test" u...@gmail.com' on the mail server) is still
> going out, even if the mail size exceeds message_size_limit.
Consider a multi-instance app
Thanks, Viktor. I got this partially working by temporarily separating
the master.cf entries. Email that is sent to my email server via smtp
now gets rejected if >message_size_limit while my mail server still
accepts bigger incoming emails. Great!
But outbound email originating on the mail server
On Fri, Mar 13, 2015 at 01:46:07PM -0700, Brainslug wrote:
> Is it possible to configure postfix to accept all incoming email regardless
> of size but decline all outgoing email exceeding a predefined size limit?
You'll need to use separate smtpd(8) listener for the outbound mail
and an associate
message_size_limit in main.cf, it is applied to both, incoming and
outgoing email, which is not what I need.
Thanks for your help!
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Asymmetric-mail-limits-tp75684.html
Sent from the Postfix Users mailing list archive at Nabble.com.
anyhting about *concurrent* connections
>
> I don't know what you think is nonsense.
"as many Verified TLS connection established messages in the logs as
status=sent lines" is nonsense - what has that do do with
"concurency limits"
> The MXs also show one mail pe
VD> This is unlikely to be a problem.
>
> One or two sockets per MX.
Postfix has no per-MX concurrency limits, only per-destination
limits, which split across the MX hosts somewhat randomly. At times
some MX hosts may see more than their "fair" share of connections.
Subject t
> "ln" == lists@rhsoft net writes:
>> but still get as many Verified TLS connection established messages in
>> the logs as status=sent lines
ln> that is nonsense and don't say anyhting about *concurrent* connections
I don't know what you think is nonsense.
The MXs also show one mail per so
_tls_session_cache_database = btree:${data_directory}/smtp_scache
>> smtp_tls_security_level = dane
VD> This turns on opportunistic DANE TLS.
Intentionally. I like using that better than smtp_tls_policy_maps,
given that I publish tlsa for my MXs.
>> smtp_tls_note_starttls_offer =
t; smtp_tls_note_starttls_offer = yes
This is not needed when TLS is on by default.
> interfere with concurrency limits?
No, but TLS and connection caching are mutually exclusive (for destinations
that support STARTTLS, non-TLS destinations are still cached).
--
Viktor.
Am 08.07.2014 00:17, schrieb James Cloos:
> I working with an application which collects data and emails me the
> results. Reading it in a mailinglist-like fashion is optimal for me.
>
> It can generate a large number of mails in a short time, so I'm trying
> to limit how many concurrent socket
se = btree:${data_directory}/smtp_scache
smtp_tls_security_level = dane
smtp_tls_note_starttls_offer = yes
interfere with concurrency limits?
That box has pf 2.11.1.
-JimC
--
James Cloos OpenPGP: 0x997A9F17ED7DAEA6
- Original Message -
> From: Wietse Venema
> To: Postfix users
> Cc:
> Sent: Monday, August 15, 2011 9:00 AM
> Subject: Re: Outbound mail rate limits by user
>
>
> In the case of single-recipient email, this can be done with delays
> on the Postfix re
Wietse:
> A more serious issue is that _destination_rate_delay is per-destination
> not per-sender, so the example that I gave was wrong to begin with.
> This would require a rate delay that is independent of destination.
In the case of single-recipient email, this can be done with delays
on the P
- Original Message -
> From: Wietse Venema
> To: Postfix users
> Cc:
> Sent: Sunday, August 14, 2011 3:32 PM
> Subject: Re: Outbound mail rate limits by user
>
>
> A more serious issue is that _destination_rate_delay is per-destination
> not per-sender, so
Wietse:
> No matter what MTA you use, it will need to know a) how many the
> sender has sent and b) what the limit for that sender is.
>
> Therefore, some per-sender configuration is unavoidable.
Steve Fatula:
>True of course, but, was thinking of using a milter to do this since
>it works for loc
- Original Message -
> From: Wietse Venema
> To: Postfix users
> Cc:
> Sent: Saturday, August 13, 2011 8:35 PM
> Subject: Re: Outbound mail rate limits by user
>
> Wietse:
>> With Postfix 2.7 and later use a per-sender FILTER action without
>> next-
> -Original Message-
> From: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema
> Sent: Saturday, August 13, 2011 6:36 PM
> To: Postfix users
> Subject: Re: Outbound mail rate limits by user
>
> No matter what M
Steve Fatula:
>> Is there is an easier or more elegant way someone might be using?
Wietse:
> With Postfix 2.7 and later use a per-sender FILTER action without
> next-hop destination:
>
> ? ? send...@example.com??? FILTER sender-class-1:
>
> In master.cf specify a sender-class-1 SMTP client.
>
>
> From: Wietse Venema
> To: Postfix users
> Cc:
> Sent: Saturday, August 13, 2011 2:40 PM
> Subject: Re: Outbound mail rate limits by user
>
> Steve Fatula:
>> This seems to have been discussed before, but, I have a small
>> twist. On a system I am workin
Steve Fatula:
> This seems to have been discussed before, but, I have a small
> twist. On a system I am working on, there are many users. These
> users can send mail via some email client or webmail, and, via
> command line programs (sendmail) or PHP, mailing list program,
> etc. I need to be able
Am 13.08.2011 09:48, schrieb Steve Fatula:
> This seems to have been discussed before, but, I have a small twist. On a
> system I am working on, there are many users. These users can send mail via
> some email client or webmail, and, via command line programs (sendmail) or
> PHP, mailing list pr
This seems to have been discussed before, but, I have a small twist. On a
system I am working on, there are many users. These users can send mail via
some email client or webmail, and, via command line programs (sendmail) or PHP,
mailing list program, etc. I need to be able to limit outbound ema
know what will be the max entries in transport map that the
> machine can handle ( 4 GB Ram , Quad Xeon) .. given that the system
> is
> running postfix and almost nothing else
>
> How do I test the limits ?
>
>
> Thanks
> Ram
in transport map that the
> machine can handle ( 4 GB Ram , Quad Xeon) .. given that the system is
> running postfix and almost nothing else
>
> How do I test the limits ?
>
> Thanks
> Ram
This is only dependant on the map-type you are using. If you have many
updates you shoul
entries in transport map that the
> > machine can handle ( 4 GB Ram , Quad Xeon) .. given that the system is
> > running postfix and almost nothing else
> >
> > How do I test the limits ?
> >
> > Thanks
> > Ram
>
> This is only dependant on the ma
running postfix and almost nothing else
How do I test the limits ?
Thanks
Ram
This is only dependant on the map-type you are using. If you have many
updates you should using a "network" database type (not file based)
like SQL or LDAP. Test the lookup times for the map-type of your
c
almost nothing else
How do I test the limits ?
Thanks
Ram
.
-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Barney Desmond
Sent: Monday, October 19, 2009 10:07 PM
To: postfix-users@postfix.org
Subject: Re: Rate limits on mynetworks Hosts
2009/10/19 Craig Watson :
> I have some hosts in mynetwo
2009/10/19 Craig Watson :
> I have some hosts in mynetworks. They cannot handle authentication but I
> want to apply the rate limits to them too. Is there anyway I can allow them
> to relay but apply the rate limits to them? Below is my current config.
I believe the correct way is
I have some hosts in mynetworks. They cannot handle authentication but I
want to apply the rate limits to them too. Is there anyway I can allow them
to relay but apply the rate limits to them? Below is my current config.
#150 Recipients/Mail mesasge
smtpd_recipient_limit = 150
#Exclude these
Thankyou.
So, that restriction is configured correctly. Postfwd daemon is
started (it checks incoming mail for RBL.
I think i have to move to the postfwd lit.
Thankyou again
2009/7/15 Brian Evans - Postfix List :
> ad...@gg-lab.net wrote:
>> Still any result.
>>
>> Can the problem be on this li
ad...@gg-lab.net wrote:
> Still any result.
>
> Can the problem be on this line?
>
> smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10040
>
> Policyd site says to add it, but in postfix manual i can't find any
> description of "smtpd_end_of_data_restrictions".
That restriction
t;>>>>> Benny: ok, so we are speaking about the evenlope sender, so, it seems
>>>>>> this is the solution.
>>>>>
>>>>> What are you trying to do exactly? Your requirements and situation keep
>>>>> changing with every ema
gt;>> changing with every email. Use examples with all details to explain
>>>> exactly
>>>> what you want.
>>>>
>>>> Benny - postfwd is sasl_username aware.
>>>>
>>>>>
>>>>> 2009/7/13 Benny Pedersen :
&g
;>> Benny - postfwd is sasl_username aware.
>>>
>>>>
>>>> 2009/7/13 Benny Pedersen :
>>>>>
>>>>> On Mon, July 13, 2009 09:51, ad...@gg-lab.net wrote:
>>>>>
>>>>>> i want to limit mail sent via php
icated.
remove 127.0.0.1 in mynetworks, and make sasl usage from all what
got
sent from this box, problem solved, next step is a policy
server that can handle sasl limits
all else will fail
another way is to seperate web and mail server so 127.0.0.1 is
another
box :)
Of course i can't
t; i want to limit mail sent via php mainly, so i can't limit via sasl
>>>> simply because users aren't authenticated.
>>>
>>> remove 127.0.0.1 in mynetworks, and make sasl usage from all what got
>>> sent from this box, problem solved, next step
2009 09:51, ad...@gg-lab.net wrote:
i want to limit mail sent via php mainly, so i can't limit via sasl
simply because users aren't authenticated.
remove 127.0.0.1 in mynetworks, and make sasl usage from all what
got sent from this box, problem solved, next step is a policy
serv
Here some details on cpanel limits:
http://forums.cpanel.net/email-exim/73464-how-does-new-max-emails-per-hour-tracking-work-2.html
2009/7/13 ad...@gg-lab.net :
> Lucian, i saw that solution, but i want something that can globally
> limit EVERY mail sent:
>
> i'll also offer s
om this box, problem solved, next step is a policy
> server that can handle sasl limits
>
> all else will fail
>
> another way is to seperate web and mail server so 127.0.0.1 is another box :)
>
>> Of course i can't limit the host ip (all mail sent from my webserver).
&g
, next step is a policy
server that can handle sasl limits
all else will fail
another way is to seperate web and mail server so 127.0.0.1 is another box :)
> Of course i can't limit the host ip (all mail sent from my webserver).
as Obama says "yes we can" :)
> The most beautifu
On Sat, Jul 11, 2009 at 7:01 PM, ad...@gg-lab.net wrote:
> Hi,
>
> i have benn googling for hours today, and can't solve this problem:
>
> I'm working on a free-hosting platform. As MTA, of course, i've
> choosen postfix. Now, to prevent abuse, i want to limit the number of
> email each user can se
Benny,
i want to limit mail sent via php mainly, so i can't limit via sasl
simply because users aren't authenticated.
Of course i can't limit the host ip (all mail sent from my webserver).
The most beautiful thing would be limiting system user (each user has
an entry in /etc/passwd). Limiting th
On Sat, 11 Jul 2009, ad...@gg-lab.net wrote:
> And, i've also found postfwd, but i can't see how can i use it to
> limit mails in number.
Assuming you want to limit mails per envelope sender, the following
(untested) rule should work:
id=MAX_PER_HOUR ; protocol_state=END-OF-MESSAGE ; \
act
On Sat, July 11, 2009 21:42, ad...@gg-lab.net wrote:
> And, i've also found postfwd, but i can't see how can i use it to
> limit mails in number.
or make it with fail2ban, match on sasl in log, geek style :)
just make a action that disable sasl for this user in the time frame
maybe it can be d
On Sat, July 11, 2009 20:01, ad...@gg-lab.net wrote:
> i have benn googling for hours today, and can't solve this problem:
hope its not generic :)
> Any idea?
policyd v2 http://www.policyd.org/
--
xpoint
Very good, thankyou.
I found DEB package postfix-policyd. In the .conf file i've created, i
can see some quota-related directives, but it seems it can limit only
SASL autenticated users or hosts (and the host will always be the
same.
And, i've also found postfwd, but i can't see how can i use it
On Jul 11, 2009, at 2:01 PM, "ad...@gg-lab.net"
wrote:
Hi,
i have benn googling for hours today, and can't solve this problem:
I'm working on a free-hosting platform. As MTA, of course, i've
choosen postfix. Now, to prevent abuse, i want to limit the number of
email each user can send in an
Hi,
i have benn googling for hours today, and can't solve this problem:
I'm working on a free-hosting platform. As MTA, of course, i've
choosen postfix. Now, to prevent abuse, i want to limit the number of
email each user can send in an our.
Any idea?
Thankyou
> Terry Carmen:
>> Does anybody know what practical limits are for cidr files?
>
> Postfix CIDR patterns are executed in the specified order. Therefore
> the run-time processing time is linear in the number of rules.
>
> Each process also spends some time compi
Terry Carmen:
> Does anybody know what practical limits are for cidr files?
Postfix CIDR patterns are executed in the specified order. Therefore
the run-time processing time is linear in the number of rules.
Each process also spends some time compiling the patterns during
initialization.
Do
Does anybody know what practical limits are for cidr files?
Specifically, would there be any problem loading it with something like
uceprotect, which currently has around 2M entries?
Thanks,
Terry
Andre H?bner:
> Hello,
>
> i try to find further infos for anvil-service and how to use it.
> In my Maillogs i see some statistics written by anvil but i do not
> understand the plan to use anvil to do a client based session/request
> control.
anvil is not a policy tool. It is a safty mechanism
Hello,
i try to find further infos for anvil-service and how to use it.
In my Maillogs i see some statistics written by anvil but i do not
understand the plan to use anvil to do a client based session/request
control.
In german list i got one answer that i should write own policy-service. Ist
On Wed, Dec 3, 2008 at 11:25 AM, Leonardo Rodrigues Magalhães
<[EMAIL PROTECTED]> wrote:
>
>
> polloxx escreveu:
>>
>> Dear group,
>>
>> We want to limit the number of mails a given IP address can send per
>> time unit (outbound).
>> What do you use to resolve this with a postfix server?
>> We want
polloxx escreveu:
Dear group,
We want to limit the number of mails a given IP address can send per
time unit (outbound).
What do you use to resolve this with a postfix server?
We want a flexible method were we can set the number of allowed mails
per time unit per IP address (in a SQL datbase).
Dear group,
We want to limit the number of mails a given IP address can send per
time unit (outbound).
What do you use to resolve this with a postfix server?
We want a flexible method were we can set the number of allowed mails
per time unit per IP address (in a SQL datbase).
Thx
P.
Eugene Vilensky wrote:
Hi,
I'd like to be able to set a hard limit on the number of recipients
that postfix will ever process, globally across my system. I see
smtpd_recipient_limit but I think that would have the unintended
consequence of "legitimizing" a ridiculous amount of recipients into
m
Hi,
I'd like to be able to set a hard limit on the number of recipients
that postfix will ever process, globally across my system. I see
smtpd_recipient_limit but I think that would have the unintended
consequence of "legitimizing" a ridiculous amount of recipients into
multiple reasonable connec
90 matches
Mail list logo
