I do a lot of email submission from my laptop on the road to our corporate
email server.
Problem was that rate-control was based on IP addresses, which didn't give me
the control that I wanted.
For instance, having the same ClientRate and ClientConn for myself using the
submission port (587) as someone else using the smtp port (25) just because we
both happened to be on an AT&T wifi hotspot made no sense.
So after an hour or so of investigation, I came up with the following ruleset
changes. It rocks.
The default config for sendmail.mc contains either:
DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')dnl
or:
DAEMON_OPTIONS(`Port=smtp, Name=MTA')
if you're running an internet accessible relay, but if you also uncomment (via
the 'dnl') from:
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
you've also enabled the submission port.
This patch lets you search the access database for "ClientRate", "ClientConn",
and "GreetPause" entries not just based on the IP address, but also on the name
of the service ("MSA" versus "MTA" or "MTA-v4").
Hence if I add:
ClientConn:MSA 10
ClientRate:MSA 0
GreetPause:MSA 0
I've specified that for connections on the submission port (which are
authenticated), I can have up to 10 simultaneous connections with no incoming
connection rate limit and no initial greet-pause.
Which is a good thing, because my defaults are meant to be constraining:
ClientConn: 1
ClientRate: 2
and my sendmail.mc contains:
FEATURE(`greet_pause', `5000')dnl
which are very effective at throttling the Internet in general when someone
tries to exploit our server as an open relay or even attempts a DoS attack on
it.
(Note the last line could also have been done as: "GreetPause: 5" in my
access file).
Now I can connect from wherever I like, and have the same defaults I get on the
corporate network:
ClientConn:192.168.1 10
ClientRate:192.168.1 0
GreetPause:192.168.1 0
be applied on the road as well.
I hope you all find this patch useful. I've submitted it as a suggestion to the
sendmail maintainers, but they tend to be conservative in accepting
'enhancements', so it might not be integrated.
-Philip
--- sendmail-cf/feature/greet_pause.m4.orig 2004-07-06 14:49:51.000000000
-0600
+++ sendmail-cf/feature/greet_pause.m4 2011-12-19 18:32:18.036025424 -0700
@@ -36,6 +36,7 @@ ifdef(`_ACCESS_TABLE_', `dnl
R$+ $| $+ $: $>D < $1 > <?> <! GreetPause> < $2 >
R $| $+ $: $>A < $1 > <?> <! GreetPause> <> empty
client_name
R<?> <$+> $: $>A < $1 > <?> <! GreetPause> <> no: another
lookup
+R<?> <$*> $: $>D < $&{daemon_name} > <?> <! GreetPause> < $1 >
ifelse(len(X`'_ARG_),`1',
`R<?> <$*> $@',
`R<?> <$*> $# _ARG_')
--- sendmail-cf/m4/proto.m4.orig 2011-10-24 06:25:58.000000000 -0600
+++ sendmail-cf/m4/proto.m4 2011-12-19 18:34:58.113969993 -0700
@@ -2965,7 +2965,7 @@ ifdef(`_RATE_CONTROL_',`dnl
######################################################################
SRateControl
ifdef(`_ACCESS_TABLE_', `dnl
-R$* $: <A:$&{client_addr}> <E:>
+R$* $: <A:$&{client_addr}> <E:$&{daemon_name}> <E:>
dnl also look up a default value via E:
R$+ $: $>SearchList <! ClientRate> $| $1 <>
dnl found nothing: stop here
@@ -2987,7 +2987,7 @@ ifdef(`_CONN_CONTROL_',`dnl
######################################################################
SConnControl
ifdef(`_ACCESS_TABLE_', `dnl
-R$* $: <A:$&{client_addr}> <E:>
+R$* $: <A:$&{client_addr}> <E:$&{daemon_name}> <E:>
dnl also look up a default value via E:
R$+ $: $>SearchList <! ClientConn> $| $1 <>
dnl found nothing: stop here
--
users mailing list
[email protected]
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
