the anvil rejects are not logged by postfix smtpd nor smtp. So the anvil
rejects will not show up in your SMTP rejects at all. which is kinda nice.
I got nothing but condescending coyness from Wietse/Viktor on what the
anvil reject was ("your investigation is not proper", without saying how to
investigate properly), but Ralf said try telnet. duh!
With anvil set to 20 connection / 30 min, I sent 20+ msgs through my IMGate
and then telnetted from that IMGate to the other IMGate set up with anvil:
# telnet im1.webshoppe.net 25
Trying 199.0.66.9...
Connected to im1.webshoppe.net. <<<< TCP connect accepted by port 25
Escape character is '^]'.
421 Too many connections from 212.73.210.75 <<<< bye-bye
Connection closed by foreign host. <<<< click
This means of course that the remote MTA will try again, causing somewhat
of an explosion in the connection attempts to your IMGate, but you can see
that the overhead on postfix is lowest possible, esp with
"smtpd_error_sleep_time = 0". Postfix disconnects immediately.
What's the advantage of anvil?
1. protects your server from being DoSed by any one IP. Even if you have
an IPs blacklisted, postfix will dialog with that IP, perhaps over several
seconds or 10 of seconds (set your smtpd timeout low), until the RCPT TO:,
only then will postfix send 4xx/5xx. No messages accepted, but postfix
smptd is still consumed until reject, and then waits for a response from
the remote MTA.
Adding anvil to the mix, if a blocked IP sends you x connections in y
minutes, your postfix rejects them all just like before, but from then on
smtpd/anvil rejects will give 421 immediately (not even SMTP greeting), and
HANG UP, liberating the stmpd process for other callers.
3. say a spammer that is not yet in RBL or otherwise blocked ambushes you
and gets his messages accepted, but a rate above the anvil limit, then
anvil will hold the spammer at bay, until you see him anvilled and put him
in your mta blacklist. The spammer will get x messages delivered each time
he attacks.
4. legit servers usually don't connect to your server at "high" rates,
where rate is "connections/period" (legit list servers like weather and
news-headline servers can burst above anvil rates, and they have to be
anvil-whitelisted as well as smtpd restrictions whitelisted.). So other
MTAs that get anvilled are very probably spamming. ie, anvil discriminates
"accurately" between legit and illegit behavior. You have complete control
to define what is a legit rate. anvil also has its own param for
whitelisting MTAs from anvil processing (but not from other smtpd
restrictions).
Anvil is very dynamic, keeping its database in memory, meaning that if you
stop/start postfix, all anvil history will be lost, and no more anvil
rejects until at least <interval> has passed.
I haven't found how long an anvilled IP stays anvilled. It takes
<interval> for an IP to get anvilled, so <interval> is the "attack" time,
but what is the "decay" time, where the IP is flushed from the anvil
table? The anvil reject code of 421 sorta guarantees that the anvilled IP
will keep coming back and therefore keep itsellf anvil-rejected. evil!!
moowa ha ha ha!!!
anvil hardens your IMGate/postfix against DoS attacks, and can have a
secondary advantage of identifying IPs that you can add to your blacklists.
Len
