I recently had a case where one neighbour host, also running qmail,
suddenly opened over 100 connections to my machine, and used up all the
slots, with the result that my customers could not send mail. While I
know there are various different solutions to this problem (like a
different IP for internal customers, asking this neighbour to use
serialmail for backlogged mail), I still wanted to setup session limits,
so I did this:
tcpserver -vRHlusers.africaonline.co.ke -c500 -x/qmail/etc/tcpserver.smtp.cdb \
-u102 -g101 0 25 /qmail/scripts/session-limit.sh 2>&1 .... &
The session-limit.sh script checks to see how many connections are
active from a particular IP, and if this new would exceed a certain
number, then to send a 421 code to the client and disconnect. Otherwise
it runs the normal qmail-smtpd
session-limit looks like this:
--- start script ---
#!/bin/sh
PATH="$PATH:/usr/local/bin"
if [ -z "$SESSIONLIMIT" ]
then
exec /qmail/scripts/qmail-smtpd-wrapper.sh
elif [ $SESSIONLIMIT -eq 0 ]
then
exec /qmail/scripts/qmail-smtpd-wrapper.sh
fi
cd /qmail/etc/locks
start=1
while [ $start -le $SESSIONLIMIT ]
do
setlock -n $TCPREMOTEIP.$start /qmail/scripts/qmail-smtpd-wrapper.sh 2> /dev/null
if [ $? -eq 0 ]
then
rm -f $TCPREMOTEIP.$start
exit
fi
start=`expr $start + 1`
done
# if the above fails, then we tell the client to go away
echo 421 Limit of $SESSIONLIMIT simultaneous connections from $TCPREMOTEIP reached.
Come back later.
echo "smtpd: Dropped excess session from $TCPREMOTEIP (max $SESSIONLIMIT)" >&2
--- end script ---
The session limit can be set by tcpserver, in the form of an environment
variable SESSIONLIMIT. Thus each host can have its own session limits.
I have tested this, and it seems to work OK. If anyone has any
constructive comments about my approach to the problem, I'd welcome
them. I'm using the file system as a database to keep track of how many
sessions there are from each host. I realise that over time, there is a
possibility of collecting "stale" files in the locks directory.
It would be nice if tcpserver had such an ability built-in, where it
kept track of connectiong IPs in memory, and this would be faster, and
less kludgy.
--
See complete headers for more info
