On 4/2/2012 1:51 AM, Jeremie CEINTREY wrote: > Thank you very much for your explanations. > > I'm going to test with smtpd_client_connection_count_limit = 1 > > Three days ago I added smtpd_client_connection_rate_limit = 10, wich limit > the number of connection by a client to 10 by time unit; a time unit equal to > 60s by default. > I noticed that it works well and permit to slow down big mailers. As you > write it, when a mailing list campain was in progress, I was able to see > hundreds of mails arriving from a domain with tail -f /var/log/mail.log | > grep cleanup > > tail -f /var/log/mail.log | grep 'postfix/cleanup.*@domain_of_big_mailer > > Yet, i'm going to test with smtpd_client_connection_count_limit = 1, wich > looks like smtpd_client_connection_rate_limit and > smtpd_client_message_(rate|count)_limit parameters.
smtpd_client_connection_count_limit tends to only slow down bulk mailers and not 'normal' non-bulk mailers, which is why I recommended it. smtpd_client_connection_rate_limit and smtpd_client_message_(rate|count)_limit will delay delivery from 'normal' mailers on occasion, possibly very frequently. This is a negative side effect most would want to avoid. This type of restriction should be configured only on a domain or IP subnet basis so you only affect the bulk mailers. Postfix doesn't have an inbuilt way to do so. These settings are global. Thus, if you want to use this type of rate delay you would want to use an add on policy daemon. The policy daemon method has a downside: it requires an smtpd process for each connection to be delayed, eating extra system resources. Setting smtpd_client_connection_count_limit also sets postscreen_client_connection_count_limit if you're using postfix 2.8 and postscreen. Thus the limit is enforced before connections are handed to smtpd processes, so you don't needlessly eat up additional smtpds. Thus, it's much simpler and more effective to use smtpd_client_connection_count_limit to achieve your goal, without multiple unwanted side effects. -- Stan