I'm making one refinement step to eliminate queue congestion due
to address verification requests.
The refinement is to maintain a fixed-size cache with counters for
the most-common domain names in pending address verification requests.
This fixed-size cache allows Postfix to tempfail verification
requests selectively for domains that are requested frequently.
Only when this measure does not address the problem Postfix will
non-selectively tempfail verification requests for all domains.
Wietse
First, the problem. A mail security provider handles mail for many
customer domains and relies on an address verification cache for
recipient validation. One customer domain is subjected to the
equivalent of a recipient dictionary attack. The Postfix queue
becomes congested with recipient verification requests. Our job is
to elminate queue congestion due to address verification requests.
Second, my requirement. The solution must be scaleable: it must
work not only for recipients but also for senders. There are many
more senders (domains) than recipients (domains). The solution must
also be robust: it must avoid counters that don't return to zero
after some Postfix daemon is restarted.
1) Enforce a global limit on the number of outstanding verification
requests that equals, say, 1/4 of the capacity of the active queue.
2) Then 3/4 of the active queue remains available to deliver
non-verification requests. Consequently, verification requests
cannot "clog" up the queue. When most bogus requests are for one
domain, then that domain will suffer most of the delays.
3) The verify daemon keeps a cache with counters for the 1000 or
so most common domain names in a pending address verification
request.
4) When the total number of pending verification requests approaches,
say, 80% of the global limit, the verify daemon starts tempfailing
requests for the domains from 3) that have many pending requests.
Only after the global limit is reached, the verify daemon tempfails
all excess verification requests.
5) When Postfix tempfails an address verification request as described
in 4), most legitimate addresses will be unaffected because the
verify cache proactively refreshes active addresses before they
expire. Only "unknown" or "inactive" addresses will be affected.
By default, inactive means no mail in 31 days, and "known address"
refresh happens after (at least) 7 days.
