OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Connection rate limiting is ignoring check_recipient_access?

From: Geoff (postfixc4b.co.uk)
Date: Sun Jul 02 2006 - 03:07:59 CDT

Sorry if this has been covered before - I couldn't find anything similar in the archives.

I'm running 2.2.10 and have my rate limiting params as shown below (from postconf -n).

The intention is to limit connections from spammers to not more than 1 per 5 minutes. Rate limiting works just fine with the exception of when the first connections are REJECTed by check_recipient_access. If you look at the extract from the maillog shown below you can see that the first 6 connections from this spammer were rejected by check_recipient_access but were ignored for connection rate counting purposes - it was only when one got as far as reject_unverified_sender that it registered as a 'hit' on the connection count. All further connections within the 5 minute period were then rejected as expected.

Is this correct behaviour? This has effectively allowed this spammer 7 connections in 15s and effectively bypassed the rate limit. I thought one of the tenets of the rate limiting approach was to slow spammers down to a crawl so they get bored and go somewhere else! By ignoring the initial connections Postfix is still allowing the spammer access for "address-validation" purposes.

Your thoughts please? Thanks.
Geoff.

--
anvil_rate_time_unit = 300s
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 1
smtpd_client_event_limit_exceptions = $mynetworks .[a trusted domain].co.uk

smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/reject_clients
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions = reject
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/reject_recipients, check_sender_access hash:/etc/postfix/allow_senders, reject_unverified_sender
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/reject_senders,
body_checks = regexp:/etc/postfix/reject_bodies
header_checks = regexp:/etc/postfix/reject_headers

Jun 28 22:03:23 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
Jun 28 22:03:24 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <webmastermydomain.net>: Recipient address rejected: Domain not known; from=<Mallory.Nelsonearthlink.net> to=<webmastermydomain.net> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:28 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <uucpmydomain.net>: Recipient address rejected: Domain not known; from=<Tessa.Gambleearthlink.net> to=<uucpmydomain.net> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:28 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <testmydomain.net>: Recipient address rejected: Domain not known; from=<Tessa.Gambleearthlink.net> to=<testmydomain.net> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:29 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <supportmydomain.net>: Recipient address rejected: Domain not known; from=<Tracey.Blountearthlink.net> to=<supportmydomain.net> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:30 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <servicemydomain.net>: Recipient address rejected: Domain not known; from=<Daphne.Starksearthlink.net> to=<servicemydomain.net> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:31 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <salesmydomain.net>: Recipient address rejected: Domain not known; from=<Gordon.Joyceearthlink.net> to=<salesmydomain.net> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:36 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 554 <Gordon.Joyceearthlink.net>: Sender address rejected: undeliverable address: host mx4.earthlink.net[209.86.93.229] said: 550 Gordon.Joyceearthlink.net...User unknown (in reply to RCPT TO command); from=<Gordon.Joyceearthlink.net> to=<rootmydomain.net> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:38 shoebox postfix/smtpd[18206]: lost connection after DATA from unknown[202.101.73.90]
Jun 28 22:03:38 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
Jun 28 22:03:41 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
Jun 28 22:03:41 shoebox postfix/smtpd[18206]: warning: Connection rate limit exceeded: 2 from unknown[202.101.73.90] for service smtp
Jun 28 22:03:41 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
Jun 28 22:03:42 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
Jun 28 22:03:42 shoebox postfix/smtpd[18206]: warning: Connection rate limit exceeded: 3 from unknown[202.101.73.90] for service smtp
Jun 28 22:03:42 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
etc.