mta limit session-transaction-delay 10
Is there any way to limit where this is implemented? Such as only
sessions from a specific server (via tag, action, match, etc.)?
From my limited understanding of the few bits of code I read, around
this and other mta options, those "limit" options seems to be global.
There are other (global) knobs that maybe do something to the scheduling
per domain or host, but I haven't tried any of those and I think they
rather apply to retries. Check out ./usr.sbin/smtpd/limit.c, function
limit_mta_set().
I ran a few rough grep(1)s through the sources, by guessing related
strings, but I didn't find anything related to action or match.
My current understanding is we could consider some different levels of
compromise:
1. Only the service is compromised (e.g., PHP) - this would limit
message sending to how the server is configured to send mail.
[...]
at least in the event an attacker only compromises a service I can
still limit damage to the mail relay server IP address reputation.
Mh... good thinking, I agree. I appreciate you sharing your reasoning :)