Discussion:
How granular are Anvil settings ?
(too old to reply)
Fazzina, Angelo
2016-08-03 18:03:35 UTC
Permalink
Hi,
I did not see any options to implement these settings at different limits for different IP ranges ?

smtpd_client_connection_rate_limit = 500
smtpd_client_message_rate_limit = 500
smtpd_client_recipient_rate_limit = 500
smtpd_client_new_tls_session_rate_limit = 500

I know the setting to make certain networks exempt from Anvil rate limits, but wondered if there could be multiple
configurations depending on the client that is connecting to postfix ?

If this is not possible, thank you for telling me so.

-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut, UITS, SSG-Linux/ M&C
860-486-9075
Noel Jones
2016-08-03 18:06:22 UTC
Permalink
Post by Fazzina, Angelo
Hi,
I did not see any options to implement these settings at different
limits for different IP ranges ?
smtpd_client_connection_rate_limit = 500
smtpd_client_message_rate_limit = 500
smtpd_client_recipient_rate_limit = 500
smtpd_client_new_tls_session_rate_limit = 500
I know the setting to make certain networks exempt from Anvil rate
limits, but wondered if there could be multiple
configurations depending on the client that is connecting to postfix ?
If this is not possible, thank you for telling me so.
not possible.




-- Noel Jones
Viktor Dukhovni
2016-08-03 18:14:05 UTC
Permalink
Post by Fazzina, Angelo
Hi,
I did not see any options to implement these settings at different limits for different IP ranges ?
smtpd_client_connection_rate_limit = 500
smtpd_client_message_rate_limit = 500
smtpd_client_recipient_rate_limit = 500
smtpd_client_new_tls_session_rate_limit = 500
I know the setting to make certain networks exempt from Anvil rate limits, but wondered if there could be multiple
configurations depending on the client that is connecting to postfix ?
I sounds like your intention is to use anvil for fine-grained rate
limits. This would be a mistake.

Anvil is only designed to reduce the chance that one or a small
handful of misconfigured or poorly designed clients *accidentally*
hog all the resources of your server.

Anvil is not prevent DoS attacks and is not suitable for traffic
shaping. Overly strict limits can substantially degrade your SMTP
service, by introducing long delays for email from legitimate
high-volume senders.
--
Viktor.
Wietse Venema
2016-08-03 18:46:42 UTC
Permalink
Post by Viktor Dukhovni
Post by Fazzina, Angelo
Hi,
I did not see any options to implement these settings at different limits for different IP ranges ?
smtpd_client_connection_rate_limit = 500
smtpd_client_message_rate_limit = 500
smtpd_client_recipient_rate_limit = 500
smtpd_client_new_tls_session_rate_limit = 500
I know the setting to make certain networks exempt from Anvil rate limits, but wondered if there could be multiple
configurations depending on the client that is connecting to postfix ?
I sounds like your intention is to use anvil for fine-grained rate
limits. This would be a mistake.
Anvil is only designed to reduce the chance that one or a small
handful of misconfigured or poorly designed clients *accidentally*
hog all the resources of your server.
Anvil is not prevent DoS attacks and is not suitable for traffic
shaping. Overly strict limits can substantially degrade your SMTP
service, by introducing long delays for email from legitimate
high-volume senders.
I suggest that you look at your peaks for legitimate traffic, and
configure anvil limits at 10x those peak values. If you set the
limit too low, legitimate email will pile up.

Wietse

Continue reading on narkive:
Loading...