On 6/30/2013 3:12 AM, LuKreme wrote: > When reject_unknown_client_hostname triggers on an NXDOMAIN it returns a 550 > error, which is great. When it triggers because there is no PTR record, it > returns a 450 error, which is also great… except. > > What I see is servers that connect hundreds of times, getting 450 errors and > ignoring them and trying to send their spam again and again and again. > > I have some IPs that have tried to connect hundreds of times to send a > message that is always going to generate a 450 error since the host does not > have a PTR record and never will. I have over 10,000 of these failures on an > average day. > > Does anyone have any suggestions?
Hosts that have no PTR/rDNS are almost certainly end user broadband PCs. Which means the clients are likely spambots. They ignore rejections, and they do not retry. They simply keep pumping out new connections. If they're all currently being rejected, and are not tying up your smtpds, then as Noel suggested, simply ignore it. If single clients are using concurrent connections and eating too many smtpds then fail2ban is one option. Postscreen is another. Or... Postfix allows 50 concurrent connections per client by default with a max of 100 smtpds. Set smtpd_client_connection_count_limit to something like 10 and watch your log daily for a week or so to make sure you're not burdening legit clients. The proper value here, if any, depends on your mail flow. This will limit concurrent connections of all clients. -- Stan
