Qmail rate limit

exi1ed0ne · **Posted:** Wed Sep 26, 2007 7:46 pm

I've made a change to my smtp_psa xinetd setting to limit number of concurrent connections to one per IP address. This seems to have worked in limiting some of the spam-blasts, and every IP blocked over the last couple hours have been 100% spam. (Spammers have been absolutely killing my box. sa-report showed 22 hours worth of running SA in one day!)

Any thoughts out there about setting a limit like this? Gotchas that I may be missing?

scott · **Posted:** Thu Sep 27, 2007 8:40 am

Other than its a good idea? I do that on both project gamera and psa. I believe you can also rate limit based on load in xinetd.

jwdick · **Joined:** Mon Jul 31, 2006 10:55 pm **Posts:** 55

Would you mind telling me how you did limited IP connections to one?

exi1ed0ne · **Posted:** Fri Sep 28, 2007 10:37 am

In /etc/xinetd.d/smtp_psa I added per_source. The file then looked like this:

Code:

service smtp
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        disable         = no
        user            = root
        instances       = UNLIMITED
        per_source      = 1
        server          = /var/qmail/bin/tcp-env
        server_args     = -Rt0 /usr/sbin/rblsmtpd  -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/greylist /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}

I also added the per source limit to ftp. Make the changes, restart xinetd, and viola!

jwdick · **Joined:** Mon Jul 31, 2006 10:55 pm **Posts:** 55

THANKS! This will really help a problem I have been having...

kwebdesign · **Posted:** Fri Sep 28, 2007 12:10 pm

Would this cause a problem for multiple users behind a firewall who are all using the server at the same time?

exi1ed0ne · **Posted:** Fri Sep 28, 2007 12:43 pm

I would assume so, if they had simultaneous connections. I can't think of a good reason why I'd want to accept connections like that though. It would depend on if you have corporate customers without an internal email server I suppose.

scott · **Posted:** Fri Sep 28, 2007 1:39 pm

From experience, you'll almost never run into that issue if your clients are US based. Other countries it could be a problem given the high use of NAT. What you do there is just make everyone use the SSL smtp port (465).

exi1ed0ne · **Posted:** Fri Sep 28, 2007 3:33 pm

There is a different xinetd file (smtps_psa) that handles SMTPS connections. I've modified mine to have a more relaxed limit, and I've removed rbl checks from the smtp chain. I suppose you could also remove greylisting as well, but I do something different to get around it.

I only send instructions for webmail and SMTPS for the clients, and tend to get positive responses on it since they understand the need for encrypting the password.

exi1ed0ne · **Posted:** Tue Oct 09, 2007 10:39 am

I'm seeing a lot of denied connections, and a corresponding decrease in spam/server load with this change in place. So far no legit email lost as far as I can tell.

I do see a lot of denies from localhost (127.0.0.1) related to the email list traffic on the box. Should I be worried about that? Any way to get it to play nice with the limit?

Qmail rate limit

Who is online