On 7/24/2012 12:44 AM, CSS wrote: > > On Jul 24, 2012, at 1:24 AM, Stan Hoeppner wrote: > >> On 7/23/2012 4:16 PM, CSS wrote: >> >>> I'd like to take some measures to limit what an authenticated sender can do >>> but not limit legitimate use. >> >> See: >> http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit >> >> You would apply this to your submission service, eg: >> >> 587 inet n - n - - smtpd >> -o smtpd_enforce_tls=yes >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_client_connection_rate_limit=1 >> >> This limits spammers and legit users to 1 msg/min, 60 msgs per hour. >> Postfix is not psychic. >> >> This may be a problem for roaming users who send batches of mails when >> they get a connection--10 msgs takes 10 minutes. Thus, as with >> anything, some analysis and [re]tuning will be required. If you trust >> some users to never have their acct compromised, you can always create >> multiple submission services on different ports and have different >> limits for different sets of users, or even no limits for some. >> >> Not a perfect solution, but better than what you have now.
> If I can cobble this thing together, the quota module offers things like > messages per day or per hour, which is a fairly reasonable way to restrict > customers. Apparently you didn't read the docs I provided. http://www.postfix.org/postconf.5.html#anvil_rate_time_unit The time unit over which client connection rates and other rates are calculated. Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds) > Are there any other specific policy daemons I've missed that deal explicitly > with rate-limiting? Probably. But I think you summarily discounted the inbuilt Postfix equivalent too quickly, without even looking at it. You can having it running in less than 60 seconds. > It seems like the internet as whole would certainly benefit from a > dead-simple policy daemon that could thwart the attempts of spammers using > hijacked credentials to spew their junk. You'd think humans beings would be smart enough to follow directions and use strong passwords, AV software, etc, and not fall for phishing scams. Your adversary in this war isn't the spammers, it's not the technology, but your users. You should not be expending any more time/effort on the tech piece of the solution beyond finding the most basic rate limiting tool and enabling it to prevent spewage, right now. This is the smallest battle in this war. The big battles are user education (AV software on their machines, safe surfing habits, anti-phish education, etc), and wholesale forcing all users to change to *enforced* strong passwords. The user related stuff wins this war. The tech portion merely decreases the amount of damage per clueless user battle. -- Stan
