Sorry, no exceptions.
That does not solve your problem: there is no requirement that the
CLIENT sends AT MOST 100 recipients.

There is, however, a requirement in the RFC that the SERVER accept
AT LEAST 100 recipients. This can be enforced on the Postfix server
side.

I'll put that on the TODO list for Postfix 2.2 snapshots. This is
too late for making an incompatible change with 2.1.

Wietse

But that's not what the RFC says. If it wanted a upper bound of
100 for sending, and a lower bound of 100 for receiving, then it
would have specified an internet-wide limit of 100.
That is how I read the RFC. Send 4xx for the recipients that you
won't accept now so they can be sent as part of a later MAIL
transaction. Aside from smtpd_hard_error_limit, this is exactly
what Postfix implements.
RFC 821 recommended sending "552 Too many recipients" but that
was fixed later in RFC 1123 or something. Postfix always treats
5XX as a don't try again class error.

Wietse

As long as Postfix is not the largest email market share holder,
optimizing for Postfix-to-Postfix does not make sense. Amdahl's
law says optimize the common case not the exception.

I'm not inclined to put in all restrictions on parameters that
don't work anyway if you're talking to non-Postfix systems.

Wietse

There is a reason why Postfix sends significantly less recipients
than the required 100 minimum server limit.
Yes. This cache already exists and it is called the deferred queue.
If an MTA does not accept $smtpd_destination_recipient_limit
recipients (default: 50), then:

1 - Either the remote site is mis-configured. Tough, it's their
mail that they aren't receiving and that will teach them.

2 - The local MTA sends more than the recommended number of
recipients. Tough. It's their queue and that will teach them.

I don't see why Postfix needs to be extended up with additional
protocol handling features just because some untermensch changes
parameters without knowing what they are doing.

The fix is not to added more mechanisms to Postfix, but to educate.

- Release N: Log the warning and ignore invalid the parameter
setting.

- Release N+M: Abort when an invalid setting is found.

I am considering putting in the "release N" change by 2.1.

Wietse

Can anyone explain if this <100 limit is a Debian feature or
just an idiot adminstrator thing?

Wietse

Postfix, with (smtpd_recipient_limit + smtpd_hard_error_limit) << 100.

In either case, no point optimizing the main release because some
minority of MTAs on the Internet is mis-configured.

You mean, they will send over a thousand recipients pipelined, and
then expect to get a burst of tens of 452 replies back when they
hit the server's recipient limit?

Just trying to figure out what is going on in the brains there. The
workaround for these would be to zero the soft and hard error limits.

Wietse

Like this?


*** ./smtpd.c- Wed Apr 21 09:02:58 2004
--- ./smtpd.c Wed Apr 21 10:43:44 2004
***************
*** 1414,1419 ****
--- 1414,1420 ----
}
if (var_smtpd_rcpt_limit && state->rcpt_count >= var_smtpd_rcpt_limit) {
state->error_mask |= MAIL_ERROR_POLICY;
+ state->error_count--;
smtpd_chat_reply(state, "452 Error: too many recipients");
return (-1);
}

Actually, this is better: don't raise the error condition.

However, I agree that this is not safe unless there is a hard limit
on the amount of replies that Postfix will give in this manner.

Wietse

*** ./smtpd.c- Wed Apr 21 09:02:58 2004
--- ./smtpd.c Wed Apr 21 10:49:03 2004
***************
*** 1413,1421 ****
}
}
if (var_smtpd_rcpt_limit && state->rcpt_count >= var_smtpd_rcpt_limit) {
- state->error_mask |= MAIL_ERROR_POLICY;
smtpd_chat_reply(state, "452 Error: too many recipients");
! return (-1);
}
if (SMTPD_STAND_ALONE(state) == 0) {
if ((err = smtpd_check_rcpt(state, argv[2].strval)) != 0) {
--- 1413,1420 ----
}
}
if (var_smtpd_rcpt_limit && state->rcpt_count >= var_smtpd_rcpt_limit) {
smtpd_chat_reply(state, "452 Error: too many recipients");
! return (0);
}
if (SMTPD_STAND_ALONE(state) == 0) {
if ((err = smtpd_check_rcpt(state, argv[2].strval)) != 0) {

With Postfix 2.1, the 452 replies are pipelined without error sleep
delays, unless the client already bumped the error counter past
the soft error limit. Changing that requires redesign and testing,
and will push the 2.1 release until July 2004.

With Postfix 2.0, the 452 replies are not pipelined. Postfix will
pause $smtpd_error_delay for every 452 reply (more delay if the
client already bumped the error counter past the soft error limit).
Changing that is beyond the support contract for a stable release.

Postfix 1.1 is no longer supported.

Wietse

How many recipients will Exchange 2000/2003 have sent "ahead of
the server replies" when the server starts replying "452 too many
recipients"?

Simply accepting an unlimited number of RCPT TO commands is not an
option. Postfix maintains a record of SMTP commands for trouble
shooting. This record size must be limited in size to avoid memory
exhaustion vulnerabilities.

Wietse

I came at the same number from the other end: 1000*2048 = 2MB for
maximal length RCPT TO commands.

I do hope that actual implementations need much less than this.

By the way, do we know how MS pipelining works? Postfix buffers up
to 4kbyte of command or reply text in process, so that multiple
commands or replies are sent at once, and avoids long periods of
silence by flushing the buffer early.

Wietse

Ok, that's about 10 kbytes. the proposed 1000 recipient overshoot limit
can deal with this.

Wietse

..
Not a problem unless you receive mail with more than 1020 recipients.

Wietse

I have only one change: the recipient overshoot count is reset only
after successful delivery. I moved this to the rcpt_reset() routine
so it also works after RSET.

The nasty is that the overshoot count reset must not happen without
command history reset. Currently, rcpt_reset() is always called as
the last in a fixed reset sequence of (chat_reset, mail_reset,
rcpt_reset) but enforcing this sequence would require something
like a DAMN_THE TORPEDOES_AND_RESET_EVERYTHING() macro.

Wietse

The old limit was 100, in the expectation that reasonable clients
would not send more than the RFC required server supported limit
of 100. This theory was disproved already today.
By this reasoning the hard error limit would have to exceed the
recipient limit (1000) + the overshoot limit (1000) which practically
means that the hard/soft limit should be inifinite by default.

Wietse
limit

To understand: I'm trying to solve the problem at the source (it's
the server that initiated the disconnect, after all) instead of
piling up workarounds on the client (reconnect immediately after
421 and resume delivery in the middle of the recipient list).

If the server is willing to receive up to 1000 recipients, then it
should be prepared for the possibility that the first 999 recipients
will have to be 4XX deferred and that only the last recipient will
be accepted, however unlikely that may be. Overshoot by agressive
PIPELINING is a separate issue.

Possible server side solutions:

1 - 4XX Errors don't count towards the server hard error limit. This
means maintaining multiple error counters because I don't want to
allow 4XX errors to happen without some limit.

2 - 4XX Errors do count towards the hard error limit, and the default
server hard error limit equals the recipient limit, so that the
server will not disconnect prematurely while receiving legitimate
mail. It will just slow down a little after the soft error limit
is reached.

The change #2 is possible for Postfix 2.1.

In order to fix 2.0, both the server soft and hard error limits
would have to default to the (possibly reduced) server recipient
limit. Small sites will not notice any difference at all except
that Postfix wastes less time, so the number of SMTPD processes
goes down a little. Big sites will notice fewer "too many errors"
while receiving multi-recipient mail.

Sites that are using older versions will eventually be replaced.
I prefer to eliminate the problem at the source, instead of keeping
the problem in the server and piling up workarounds in the client.
The server hard limit of 100 does not solve the problem as long as
the server recipient limit is an order of magnitude larger. Although
only few sites receive 1000-recipient mail, that is no excuse to
ship a default configuration that cripples such sites.

Changing the SMTP client to reconnect after 421 and to resume in
the middle of a recipient list means investing a lot of energy
energy in a workaround. I would much prefer to eliminate the
problem at the source, and eliminate the premature server disconnect
from the default configuration.

This means adding some extra warnings to the new server hard limit
documentation that reducing the hard limit may result in persistent
mail delivery failures.

Wietse

Looks like up to some 400 recipients of overshoot.

Postfix 2.1.0 (and 2.0.20) will handle that it without sweat.

Thanks for the numbers.

Wietse

No. I wrote a patch, Victor extended it, and I fixed Victor's extension.
I am doing nothing with them. That change would be too visible and
most certainly could not be made retroactively.

The pipelining overshoot fix should take care of the most common
problem: sending more recipients than the hard error limit allows.

You can see the result in the first Postfix 2.2 snapshot. 2.1 is
frozen and will be released in a day or so. Further changes must
be field tested in 2.2 snapshots.

Wietse