On 25/01/18 10:59, Mike Brudenell via Exim-users wrote:
Hi, Sebastian -
You might want to try the *strict* ratelimit option instead of *leaky*…
When I was setting something up here I seem to remember that using leaky
ended up with the ratelimit value capping out at around its limit, meaning
my defence measure never kicked in. Changing to strict meant the actual
rate was recorded so clients that were hammering us were now detected and
appropriate measures taken.
(There's an explanation in the *Specification*
<https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#ratoptfast>
about
leaky *v* strict, but I confess I don't find it terribly clear.)
Hi Mike - thank you for the suggestion. I did consider using strict
instead of leaky, but then I thought, if something doesn't go to plan,
or I misconfigure one of the ACL's, I could have the counters increasing
out of control and blocking IP addresses forever. I think using leaky,
but with a larger number of hits in the ACL's which are suppose to
increase the counters than in the ACL which does the blocking is a bit
safer, as the counter increases will stop at some point even if the
ACL's keeping on getting hit.
Cheers,
Mike B-)
On 25 January 2018 at 10:24, Sebastian Arcus via Exim-users <
[email protected]> wrote:
On 25/01/18 09:20, Jeremy Harris wrote:
On 25/01/18 05:56, Sebastian Arcus via Exim-users wrote:
I can see in the ratelimit db quite a few hosts
which have reached the 5/24h limit. But strangely in the Exim log I
can't see the appropriate reject messages - although I can see reject
messages for various other ACL's I've set up. Searching by the offending
IP addresses in the logs, I can see them retrying over and over again -
and yet my initial connect ACL never seems to kick in and deny the
connection. I can't really think of a reason for this.
Test with -bh and -d
I tried running a connection test on one of the IP addresses which show as
having reached 5.0 in the ratelimit database, and I get:
ratelimit computed rate 4.6
I suppose this is because some time has passed since their last connection
- and I think that's why it doesn't work as expected. I think I need to
have the first ACL - on connect, which is read-only in my case - check for
5, but the others, check for a higher number. It seems that the ratelimit
in other ACL's increase the counter to 5, but then, by the time the client
connects again, the counter in the db is just below 5 (for example 4.9) -
the ratelimit condition in the connect ACL is never true - but at the same
time, the later ACL's which are supposed to increase the counter, don't do
it any more, as it would take it past 5.0. I will try something like below,
to see if it works:
acl_check_connect:
drop message = Temporary ban - too many retries
ratelimit = 5 / 24h / per_conn / readonly
acl_check_helo:
deny message = "Bad HELO (impersonates our host)"
condition = ${if match{$sender_helo_name}{$primary_hostname}}
!ratelimit = 10 / 24h / per_conn / leaky
acl_check_rcpt:
deny message = Relay is not permitted
!domains = +local_domains : +relay_to_domains
!ratelimit = 10 / 24h / per_conn / leaky
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
