Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

clientconn & clientrate settings

1,129 views
Skip to first unread message

mik...@gmail.com

unread,
Apr 7, 2009, 10:14:14 AM4/7/09
to

We have these setup in our access DB as follows:

ClientConn:127.0.0.1 0
ClientConn:204.198.128.12 90
ClientConn: 20

ClientRate:127.0.0.1 0
ClientRate:204.198.128.12 90
ClientRate:204.198.128.13 90
ClientRate: 20


This works for the most part - when we have a DoS from the Internet
(cable modem kiddies etc..) we always rate throttle them down and I
see the appropriate message in the syslog about "client rate limit
exceeded".

However - when I have machines in my domain send through these systems
the throttling never helps. They do not have any sort of relay
abilities (these are inbound MX systems only).

I'm thinking one of 2 things could be happening:

1) the clientconn & clientrate automatically exempt mail from/to your
own domain
2) the sending mta's are opening up one SMTP connection and shoving
through so many emails in that one connection

So 2) would imply that these settings can only limit the number of
connections and the rate of connections but not the number of emails.

Grant Taylor

unread,
Apr 7, 2009, 2:19:15 PM4/7/09
to
On 04/07/09 09:14, mik...@gmail.com wrote:
> So 2) would imply that these settings can only limit the number of
> connections and the rate of connections but not the number of emails.

That is correct. That's also why it's named "Conn*".

I think you are looking for something like "milter-limit"
(http://www.snertsoft.com/sendmail/milter-limit/) from SnertSoft.
Milter-limit (and the likes) can be used to rate limit the number of
messages a given client can send in a specified amount of time.

Grant. . . .

sci...@mail.ru

unread,
May 20, 2009, 11:46:51 AM5/20/09
to
> However - when I have machines in my domain send through these systems
> the throttling never helps.  They do not have any sort of relay
> abilities (these are inbound MX systems only).

> I'm thinking one of 2 things could be happening:
> 1) the clientconn & clientrate automatically exempt mail from/to your
> own domain

Relay abilities are not required to bypass clientconn & clientrate.
It is enough to have the following records in the access file
CONNECT:yourdomain.org OK (if domain name have "closing" "A" DNS
records as it is explained here -
http://www.phwinfo.com/forum/comp-mail-sendmail/255563-access-db-blocking-entire-domain.html)
CONNECT:your_local_net OK
to skip RateControl ruleset.
FEATURE(`delay_checks') is the 2nd ability to bypass RateControl.
README: "FEATURE(`delay_checks') delays those connection control
checks after a recipient address has been received, hence making these
connection control features less useful. "

> 2)  the sending mta's are opening up one SMTP connection and shoving
> through so many emails in that one connection

You can limit the number of emails per one session as it is described
here
http://groups.google.com/group/comp.mail.sendmail/browse_thread/thread/c72500154ce4fef6/def3394c7d6cc84f?lnk=gst&q=define(%60SMTP_MAILER_MAXMSGS%27%2C%6020%27)#def3394c7d6cc84f

> So 2) would imply that these settings can only limit the number of
> connections and the rate of connections but not the number of emails.

RateControl & ConnControl + new special mailer (if you need to
restrict only connections from some nets or IP) or
define(`SMTP_MAILER_MAXMSGS', `value') for any SMTP connections +
some rules in LOCAL_RULE_0 to choose new mailer (if you need to
restrict only selective connections ) can completely solve this task.

0 new messages