Kouhei Sutou a écrit : > Hi, > > I want smtpd to abort a connection for a SMTP client as soon > as possible when the client disconnects the connection > before smtpd returns a response. >
If you mean the ability to reject a connection before RCPT TO, then you can change smtpd_delay_reject. but if you do so, MTAs that don't "understand" this will retry. if you mean the ability to disconnect instead of sending a response, then the only compliant way is to return 421. so "real" MTAs will retry. as a result, the costs may increase! finally, some ratware will retry whatever you return. > [snip] > > Tarpitting is an effective anti-spam technique for some > spammers. The following figure shows about 20% spammers can > be protected by 65s tarpitting: > > > http://f.hatena.ne.jp/images/fotolife/s/stealthinu/20070705/20070705142716.png > > I want to use tarpitting ONLY IF connected SMTP client is > very spammy because tarpitting may cause DoS. And I want to > reduce system resource usage caused by tarpitting. > > Tarpitting can be done with SLEEP action in access(5), > policy server or sleep(3) in milter. All of them sleep > specified seconds even if connected SMTP client disconnects > a connection. > > [snip] > Or I should place other software (e.g. spamd) in front of > Postfix? (I hope that all of my mail system is built with > Postfix based technologies to maintain easily.) > yes, using something like OpenBSD spamd is more effective. you can couple this with a policy service that update your firewall rules so that only misbehaving clients are redirected to spamd... etc.
