[nycbug-talk] Postfix filter for Exchange

Trish Lynch trish at bsdunix.net
Thu Jul 27 12:25:28 EDT 2006


*laugh* yeah, I'm one of those who doesn't think twice about hacking sendmail.cf rulesets if I need to, and saving it as a local ruleset in an mc file for later m4 macros later. 

At some point around 1997 I couldn't sleep because of a sendmail problem I was having, and I was beating my head over the bat book, fell asleep and was dreaming in .cf, and I woke up practically screaming "I got it!", my girlfriend at the time was annoyed, but I was excited as sendmail.cf finally clicked for me.

I went, wrote the ruleset (which at the time was a dnsbl rule before dnsbl rules were written already), tested it on a phony dnsbl on my own nameserver, and fell right to sleep, feeling accomplished, learning something, and becoming one of the few people in the world who knows sendmail.cf like instinct now.

-Trish
-- 
Trish Lynch
M: 646-401-1405
H: 201-378-0434    

-----Original Message-----
From: "Peter Wright" <pete at nomadlogic.org>
Date: Thu, 27 Jul 2006 09:10:29 
To:"Trish Lynch" <trish at bsdunix.net>
Cc:"Pete Wright" <pete at nomadlogic.org>, talk at lists.nycbug.org
Subject: Re: [nycbug-talk] Postfix filter for Exchange


> On Thu, 27 Jul 2006, Pete Wright wrote:
>
>> Hi All,
>> 	So for some reason we run exchange as our mail store, and
>> frankly I'd rather not start another fight as to how we should probably
>> move
>> to more robust mail solution.  we do have an issue where runaway scripts
>> start generating *ton's* of email in a very short period of time.  We
>> have been trying our best to resolve this issue by bludgening those who
>> write the offending code, but it still happens from time to time.
>>
>> 	So, to help us out with this I am going to propose putting a
>> Postfix filter infront of the exchange server to kill these mail bombs
>> before they take down exchange.  The exchange admin's promise there is
>> nothing they can do to properlly rate limit, or kill these mail bombs
>> before spooling them.  I am not so sure about that, but do not have the
>> time to learn exchange.
>>
>> 	Has anyone implemented such a solution for a highvolume
>> mailserver, if so any caveat's i should be looking out for?  Or is there
>> a sendmail milter that does this already that i don't know about?
>>
>> thanks!
>> -pete
>>
>>
>
> I actually use sendmail to ratelimit this kind of stuff fairly easily
> actually. There are a couple settings in sendmail.cf that throttle
> connection frequency, one is
>
> # maximum number of new connections per second
> O ConnectionRateThrottle=8
>
>
> Also, you can do things like this:
>
> # load average at which we just queue messages
> #O QueueLA=8
>
> # load average at which we refuse connections
> #O RefuseLA=12
>
> # log interval when refusing connections for this long
> #O RejectLogInterval=3h
>
> # load average at which we delay connections; 0 means no limit
> #O DelayLA=0
>
> # maximum number of children we allow at one time
> #O MaxDaemonChildren=0
>
>
> and tune those so that it doesn't get so out of hand as well, no need for
> milters, this is all sendmail.cf settings itself.
>
> I mean theoertically you can also write something in .cf itself to filter
> the keywords from the offending scripts.... *laugh*
>
> Hope that helps.
>

hey thanks trish!

i thought about sendmail rate limiting for a bit, but frankly we just want
these mail's to goto /dev/null.  9 times outta 10 we have a user write a
script that will email 100 people when a render job is finished - yet the
script has no logic so get's caught in a loop and starts flooding the
exchange box.  at this point - we don't even want these email's to get to
exchange.  sadly, i'm a little shy to start hacking sendmail to do this as
i am already pretty fleuent in postfix....maybe it's time to stop slacking
and get my sendmail.cf foo up to par ;)

-pete



-- 
~~oO00Oo~~
Peter Wright
pete at nomadlogic.org
www.nomadlogic.org/~pete
310.869.9459




More information about the talk mailing list