Dietmar Braun wrote: > > Ok, so if it's in bytes, the description in policyd.conf is wrong, > unfortunately. Thank you for clearifying. > >> What's your SMTP server's setting 00 if any -- on the maximum size of >> any email message? In postfix, it's defined in the main.cf file in the >> variable "message_size_limit". It makes sense to match that with the >> policyd setting, "SENDERMSGSIZE." Is it possible that it's being >> rejected by the SMTP server anyway, because the message size is already >> too big? If you tink some emails are getting through, based on the >> policyd and mail logs, you should be able to find evidence of some that >> did get delivered, and hence be able to check what the real size of the >> message was. If not, then none of them probably ever really got delivered. > > No. We have Postfix message_size_limit of 15MB and to not bother > that, I set SENDERMSGSIZE to 20MB (20480000). > If policyd kicks in before your MTA (I'm assuming postfix), then it will monitor the byte count of the message, but for the first however-many messages you permit to be processed further by postfix, they will all get rejected by postfix if the postfix setting for message_size_limit is 15 MB. I would strongly recommend setting both limits to be identical (as well as on any mail hosts that may also have a limit set).
> What I am really wondering are the things shown in this two lines of > log occuring directly one after another: > > 2008-02-21 13:01:44 smtp2 local1.info policyd policyd[28701]: [ID > 739646 local1.info] rcpt=172608, throttle=update(a), > host=x.x.x.x, from=<>, [EMAIL PROTECTED], > size=8876/20480000, quota=3007356/200000000, count=57/1000(57), > rcpt=58/1000(58), threshold=1|5|5 > > 2008-02-21 13:02:29 smtp2 local1.info policyd policyd[28701]: [ID > 739646 local1.info] rcpt=172737, throttle=update(p), > host=x.x.x.x, from=xxx, > toxxx, size=7740337/20480000, > quota=498390976/200000000, count=59/1000(59), rcpt=123/1000(123), > threshold=245|5|12 > > As you can see, without any mail between those 2 entries coming from > the same IP running through the system, the Threshold jumps from 1 to > 245 (Factor 2.5, resulting in blacklisting), although the mail > responsible for that is just 7 MB in size and the quota was at 3MB > out of 200 (see above). OK, from one to the next message, you have received 172737 - 172608 + 1 = 140 messages. For the particular sender, you have 59 - 57 = 2 new messages with a total of 123 - 58 = 66 recipients. Now it gets interesting: the bye count jumps from 8876 bytes (of a total accepted of 20.47 MB) to a rather large 7740337 bytes for each message. However, your total byte count reflects approx. 64 messages at 7.74 MB, each, or approx. 500 MB, which is indeed a factor of about 2.5x the threshold on the accepted total size of all messages. The bottom line is that the counts are close -- I would have expected the total byte count reported by policyd to be a bit over 500 MB, but maybe there are small variations in the size for a message that would be sent to each individual recipient? What probably happened is that the remote hosts first sent a couple of small, test messages to see if it get through at all, and then followed up with a large number of messages that with each being over 7 MB. --Tobias > > This just seems to be broken, or am I missing something? > > Although, I could'nt find any information about what means "abuse(f), > abuse(a) and abuse(p)... can anyone clearify that? I believe "a" refers to appending a record, and "f" means fatal -- at or above one or more of the limits, so blocking will now kick in. As to "p", I'm not sure I've ever seen "abuse(p)" in my logs. Perhaps "p" is for "panic" -- if you hit the limit without a previous warning? I see these for the "update" entry, but not for "abuse". I'm sure someone else can explain this better... > Thanks and have a nice weekend! > > Dietmar > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > policyd-users mailing list > policyd-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/policyd-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ policyd-users mailing list policyd-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/policyd-users
