Dear ISPConfig Dev, I had a very interesting question by one of our Assembly members: How do you limit Assembly Officers of sending mass emails or certain number of Emails per hour? So, I logged in to the backend of ISPConfig under Server Config > Mail tab and there is no option I can spot to do the job. So, a quick search online and I was able to find the postfix options required to do the job. However, I wanted to verify with you before calling that's it! Please check the following link: https://beamtic.com/rate-limiting-postfix Based on that article, I have added the anvil_rate_time_unit option under smtpd_client_message_rate_limit rule at postfix main.cf file. The smtpd_client_message_rate_limit rule was set at 100 and I changed it to 50 instead, and set the time unit limit to 1 hour. What do you think? Code: # Outgoing message rate limit for users smtpd_client_message_rate_limit = 50 anvil_rate_time_unit = 3600s 1. Is there a way to adjust those rules using the GUI, if yes where? Since the only place made sense to me is under Server Config > Mail tab 2. If there is no GUI option to alter the upper postfix rules using GUI, is it safe or okay to alter the config file manually? If it's okay yes, will that be override by any means like GUI saving new settings under Server Config? 3. Maybe there is another location I can put my custom postfix rules and won't be effected by ISPConfig GUI saving settings function? Here are some suggestions by Nextcloud Mail client App to limit the rate, not sure what is the best rate ISPConfig would recommend: Code: Anti-abuse alerts The app can write alerts to the logs when users send messages to a high number of recipients or sends a high number of messages for a short period of time. These events might indicate that the account is abused for sending spam messages. To enable anti-abuse alerts, you'll have to set a few configuration options via occ. # Turn alerts on occ config:app:set mail abuse_detection --value=on # Turn alerts off occ config:app:set mail abuse_detection --value=off # Alert when 50 or more recipients are used for one single message occ config:app:set mail abuse_number_of_recipients_per_message_threshold --value=50 # Alerts can be configured for three intervals: 15m, 1h and 1d # Alert when more than 10 messages are sent in 15 minutes occ config:app:set mail abuse_number_of_messages_per_15m --value=10 # Alert when more than 30 messages are sent in one hour occ config:app:set mail abuse_number_of_messages_per_1h --value=30 # Alert when more than 100 messages are sent in one day occ config:app:set mail abuse_number_of_messages_per_1d --value=100
To mimic the nextcloud settings you would need to use something more configurable like postfwd or rspamd rate limiting, there are examples of both in the forum and/or issue tracker. In our systems I leave the postfix limits higher, as they apply to all domains/users on the server, then set more restrictive limits per-user and per-domain with postfwd. (I'd like to switch to rspamd rate limiting but haven't yet.) Regarding the postfix settings, the ISPConfig template sets 'smtpd_client_message_rate_limit = 100' so you will need to set that in /usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master if you change it.
Hello Jesse, thank you for your prompt response. I couldn't find the file you mentioned /usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master I had to create it and I added the below rules, but I removed them from the main.cf file except the smtpd_client_message_rate_limit value since it was there. How that custom file works? Does it override or has more priority over the main.cf file values? Please let me know if the values I added below in the file is okay. Besides, I would like also to know the rspamd way you mentioned. Please let me know when you do the switch :0) Overall, do you recommend those values below? I guess it's cases basis. Will appreciate if you have something in mind you recommend. Code: root@mail:~# cat /usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master # Outgoing message rate limit for users smtpd_client_message_rate_limit = 120 >>> Will that override the main one at main.cf file? anvil_rate_time_unit = 3600s >>> This is new and I could not find it at main.cf file # All the below rules are not under main.cf file but I have added them here. smtpd_sasl_exceptions_networks = $mynetworks smtpd_client_connection_rate_limit = 100 smtpd_client_new_tls_session_rate_limit = 100 smtpd_client_recipient_rate_limit = 100
See https://www.howtoforge.com/communit...-for-custom-postfix-and-dovecot-config.86559/ and https://www.howtoforge.com/community/threads/ratelimiting-with-ispconfig-3-and-rspamd.88018/
Hey Thom, that's awesome dude, the first thing came to my mind is: can I use that custom file for Dovecot ssl entries as well? For example: here what I have inside main Dovecot config file for ssl values and every time I run ispconfig_update it will get overwritten. I hope in this case I can use my own ssl files inside the /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master instead of keep putting these entries back into the original dovecot config file. Note: So what usually do, is appendeding the original ssl entries using # hash sign and I used my ssl files since they represent the imap.georgianationals.org as I wanted instead of the original ssl entries which they represent the server name mail.georgianationals.org and I wanted imap instead of mail. Code: # Do not change this file, as changes will be overwritten by any ISPConfig update. # Put your custom settings in /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master. # To start using those changes, do a force upgrade and let it reconfigure your services. (ispconfig_update.sh --force) listen = *,[::] protocols = imap pop3 lmtp sieve auth_mechanisms = plain login disable_plaintext_auth = no log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail ssl_cert = </etc/letsencrypt/live/imap.georgianationals.org/fullchain.pem ssl_key = </etc/letsencrypt/live/imap.georgianationals.org/privkey.pem #ssl_cert = </etc/postfix/smtpd.cert #ssl_key = </etc/postfix/smtpd.key ssl_dh = </etc/dovecot/dh.pem However, I don't have that ssl files location issue with postfix. For postfix, I just run the following command after preparing the certs and it never get overwritten with ispconfig_update Code: # for Postfix cd /etc/postfix/ mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak ln -s /etc/letsencrypt/live/smtp.georgianationals.org/fullchain.pem smtpd.cert ln -s /etc/letsencrypt/live/smtp.georgianationals.org/privkey.pem smtpd.key service postfix restart
Thank you again ISPConfig, to wrap this up. I have added the following to rspamd snippet as well. Should I use only rspamd to limit the rate or can I use both rspamd and postfix at the same time as backup to limit the rate? I created the file ratelimit.conf since it was not there and added Thom snippet, tested the config, and restart the service. If postfix not recommended to be used or can't be used along with rspamd ratelimit, what would be equal to postfix config values below in rspamd language? Thank you, all! Code: # Outgoing message rate limit for users smtpd_client_message_rate_limit = 120 anvil_rate_time_unit = 3600s Rspamd snippet Code: root@mail:~# cat /etc/rspamd/local.d/ratelimit.conf rates { user = { bucket = [ { burst = 10; rate = "8 / 1m"; }, { burst = 20; rate = "10 / 10m"; }, { burst = 120; rate = "100 / 1h"; }] } } root@mail:~# rspamadm configtest CPU doesn't have SSSE3 instructions set required for hyperscan, disable it symbol 'RAMBLER_URIBL' has its score defined but there is no corresponding rule registered symbol 'RBL_SARBL_BAD' has its score defined but there is no corresponding rule registered symbol 'URIBL_SBL_CSS' has its score defined but there is no corresponding rule registered symbol 'RAMBLER_EMAILBL' has its score defined but there is no corresponding rule registered symbol 'URIBL_SBL' has its score defined but there is no corresponding rule registered syntax OK root@mail:~# systemctl restart rspamd.service root@mail:~# systemctl status rspamd.service ● rspamd.service - rapid spam filtering system Loaded: loaded (/lib/systemd/system/rspamd.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2022-05-28 02:25:01 EDT; 5s ago Docs: https://rspamd.com/doc/ Main PID: 2795 (rspamd) Tasks: 7 (limit: 4915) Memory: 205.8M CGroup: /system.slice/rspamd.service ├─2795 rspamd: main process ├─2833 rspamd: rspamd_proxy process (localhost:11332) ├─2834 rspamd: controller process (localhost:11334) ├─2835 rspamd: normal process (localhost:11333) ├─2836 rspamd: normal process (localhost:11333) ├─2837 rspamd: normal process (localhost:11333) └─2838 rspamd: normal process (localhost:11333) May 28 02:25:01 mail systemd[1]: Started rapid spam filtering system. May 28 02:25:01 mail rspamd[2795]: 2022-05-28 02:25:01 #2795(main) <81f64c>; main; main: rspamd 3.2 is loading configuration, build id: release root@mail:~#