Hello, i have some clients that use week email passwords and the result being someone spams out form our mail server lots of crap. I am wondering if anyone here has used postfwd or something else to limit outgoing email to something like 25 recipients per hour or something like this.. Thanks..
I've used postfwd on other servers, and it does that job nicely. I've seen another tool suggested for that around the forums/bug tracker here (don't remember the name, it was some policy daemon) that I intend to check into "soon," but probably not in a timely enough manner to help you now.
Hey Jesse, i install postfwd, but cannot seem to get the rules working correctly.. I have this rule and when i enable it, every email gets rejected rather than what its suppose to do, any idea as to why? id=RULE003 sasl_username=~/^(\S+)$/ action=rcpt(sasl_username/10/30/REJECT only 10 recipients per 30 mins for $$sasl_username)
This is a 30 second rule I'm using in production: Code: id=sasl_rcpt_30sec sasl_username=~$$sender action=rcpt(sasl_username/960/30/421 4.7.1: $$sasl_username: sending too fast.) You'll find 10 recipients per 30 seconds unacceptably low for any normal system. Eg. a single message will quite often exceed that (send this joke to all my friends....). Maybe a special purpose mail server could get away with it.
On a related note, I intend to incorporate some rate limiting into ispconfig; I wanted to look at policyd (yes @till, I think that's the one), and use it if it seems preferable, or otherwise use postfwd. Probably I'd publish a howto/article first (or post to the tips forum), and work on proper integration in ispconfig later. My timeframe for this type of thing is more in weeks than days, but hopefully can have some ispconfig specific setup eventually.
So in this log exert does this say this user sent only one email in last 5 mins? Oct 29 12:34:28 peter postfwd2/policy[13500]: updating parent rate limit object 'CMD=S2;TYPE=rate;ITEM=sasl_username=[email protected]~~~sasl_rcpt_300sec+25_300///maxcount=25///count=1///type=rcpt///rule=sasl_rcpt_300sec///time=1446136468.54117///ttl=300///until=1446136768.54117///action=421 4.7.1: [email protected]: sending too fast.'
ok with a dumpstats i see this... So i guess this IP is getting that 450 message now? lol %rate_cache -> %client_address=201.74.120.118 -> @list -> 'RULE001+7_300' %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @action -> '450 4.7.1 only 7 recipients per 5 minutes allowed' %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @count -> '1' %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @maxcount -> '7' %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @rule -> 'RULE001' %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @TimE -> '1446137731.49025' %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @ttl -> '300' %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @type -> 'rate' %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @until -> '1446138031.49025'
960 recipients in 30 seconds for a given authenticated sender address (this is on a hosting server with ~100 domains). We've run into issues with eg. billing software that sends to hundreds of users, some people using large bcc lists instead of a mailing list, and I think some other "legitimate use" scenario. You could surely add an exemption for individual senders and/or client ip addrs, but we bumped limits up to where it worked for all our legitimate senders. We use numerous rules, for client ip, limit by sender, limit by recipient, and all in different rates - the idea being to accommodate legitimate short term bursts, but ratchet down pretty quickly over some longer time ranges. You have to account for system use (eg. any spam training accounts, webmail, localhost usage, etc.), which in ispconfig will probably vary depending on local setup... so not an easy "here, just do this". All these rate limits used to be much more effective; spammers change tactics and we rarely get spam runs that are a high enough rate to hit the postfwd limits nowadays. Here's the full config from this particular hosting server (we may have a few servers with some additional useful config) -- Note, this is on a DTC server, NOT an ispconfig server: Code: ## ## Definitions ## # redefine these in postfwd-local.cf if needed # Business Hours &&BUSINESS_HOURS { days=Mon-Fri time=07:15:00 - 18:45:00 }; # Busy Hours &&BUSY { days=Mon-Fri time=05:45:00 - 18:45:00 }; # !!&&BUSY doesn't look to work right, so create 2 rules with: &&WEEKEND { !!days=Mon-Fri }; &&SLOW { days=Mon-Fri !!time=05:45:00 - 18:45:00 } ## ## Postfwd limits for System accounts ## # Spam Trainer id=spam_trainer_sender_15sec client_address=127.0.0.1 recipient=(ham|spam)@mx.dtc1.domain.com action=rate(sender/300/15/421 4.7.1 Slow down there, $$sender.) id=spam_trainer_recip_30sec client_address=127.0.0.1 recipient=(ham|spam)@mx.dtc1.domain.com action=rate(recipient/600/30/421 4.7.1 Slow down there, $$sender.) id=spam_trainer_recip_5min client_address=127.0.0.1 recipient=(ham|spam)@mx.dtc1.domain.com action=rate(recipient/1200/300/421 4.7.1 Slow down there, $$sender.) id=spam_trainer_recip_1hr client_address=127.0.0.1 recipient=(ham|spam)@mx.dtc1.domain.com action=rate(recipient/3600/3600/421 4.7.1 Slow down there, $$sender.) id=spam_trainer_ok client_address=127.0.0.1 recipient=(ham|spam)@mx.dtc1.domain.com action=OK ## ## Client IP Message Rate Limits ## # webmail comes in from localhost (127.0.0.1), # as does other website-generated traffic id=ip_msg_slow_15sec &&SLOW client_address!=127.0.0.1 action=rate(client_address/150/15/421 4.7.1: $$client_address: sending too fast.) id=ip_msg_weekend_15sec &&WEEKEND client_address!=127.0.0.1 action=rate(client_address/150/15/421 4.7.1: $$client_address: sending too fast.) id=ip_msg_slow_60sec &&SLOW client_address!=127.0.0.1 action=rate(client_address/360/60/421 4.7.1: $$client_address: sending too fast.) id=ip_msg_weekend_60sec &&WEEKEND client_address!=127.0.0.1 action=rate(client_address/360/60/421 4.7.1: $$client_address: sending too fast.) # allow localhost here (good ? bad ?) id=ip_msg_10min action=rate(client_address/600/600/421 4.7.1: $$client_address: sending too fast.) id=ip_msg_3hr client_address!=127.0.0.1 action=rate(client_address/1800/10800/421 4.7.1: $$client_address: too many messages, try later.) id=ip_msg_24hr client_address!=127.0.0.1 action=rate(client_address/3600/86400/421 4.7.1: $$client_address: too many messages, try later.) id=ip_msg_72hr client_address!=127.0.0.1 action=rate(client_address/7200/259200/421 4.7.1: $$client_address: too many messages, try later.) ## ## Client IP Recipient Rate Limits ## id=ip_rcpt_busy_30sec client_address!=127.0.0.1 action=rcpt(client_address/421/30/421 4.7.1: $$client_address: sending too fast.) id=ip_rcpt_5min client_address!=127.0.0.1 action=rcpt(client_address/600/300/421 4.7.1: $$client_address: sending too fast.) # allow localhost here with temp reject id=ip_rcpt_10min action=rcpt(client_address/1800/600/421 4.7.1: $$client_address: sending too fast.) id=ip_rcpt_1hr client_address!=127.0.0.1 action=rcpt(client_address/3600/3600/421 4.7.1: $$client_address: too many recipients, try later.) id=ip_rcpt_24hr client_address!=127.0.0.1 action=rcpt(client_address/14400/86400/421 4.7.1: $$client_address: too many recipients, try later.) ## ## SASL Auth Message Rate Limits ## id=sasl_msg_30sec sasl_username=~$$sender action=rate(sasl_username/360/30/421 4.7.1: $$sasl_username: sending too fast.) id=sasl_msg_3hr sasl_username=~$$sender action=rate(sasl_username/1080/10800/421 4.7.1: $$sasl_username: too many messages, try later.) id=sasl_msg_24hr sasl_username=~$$sender action=rate(sasl_username/1800/86400/421 4.7.1: $$sasl_username: too many messages, try later.) id=sasl_msg_72hr sasl_username=~$$sender action=rate(sasl_username/3600/259200/421 4.7.1: $$sasl_username: too many messages, try later.) # sasl authenticated, different sender addr: #id=sasl_diff_msg_60sec # sasl_username!=''; sasl_username!=$$sender # action=rate(sasl_username/120/60/421 4.7.1: $$sasl_username: sending too fast.) # SASL Auth Recipient Rate Limits id=sasl_rcpt_30sec sasl_username=~$$sender action=rcpt(sasl_username/960/30/421 4.7.1: $$sasl_username: sending too fast.) id=sasl_rcpt_busy_3hr sasl_username=~$$sender action=rcpt(sasl_username/1800/10800/421 4.7.1: $$sasl_username: too many recipients, try later.) id=sasl_rcpt_slow_3hr &&SLOW sasl_username=~$$sender action=rcpt(sasl_username/600/10800/421 4.7.1: $$sasl_username: too many recipients, try later.) id=sasl_rcpt_weekend_3hr &&WEEKEND sasl_username=~$$sender action=rcpt(sasl_username/600/10800/421 4.7.1: $$sasl_username: too many recipients, try later.) id=sasl_rcpt_24hr sasl_username=~$$sender action=rcpt(sasl_username/3600/86400/421 4.7.1: $$sasl_username: too many recipients, try later.) id=sasl_rcpt_72hr sasl_username=~$$sender action=rcpt(sasl_username/7200/259200/421 4.7.1: $$sasl_username: too many recipients, try later.) # Sender Addr Limits (non-authenticated senders) id=sender_msg_45sec sasl_username='' action=rate(sender/180/30/421 4.7.1 $$sender: sending too fast.) id=sender_msg_10min sasl_username='' action=rate(sender/300/600/421 4.7.1 $$sender: sending too fast, try later.) id=sender_msg_slow_30min &&SLOW sasl_username='' action=rate(sender/360/1800/421 4.7.1: $$sender: too many messages, try later.) id=sender_msg_weekend_30min &&WEEKEND sasl_username='' action=rate(sender/360/1800/421 4.7.1: $$sender: too many messages, try later.) id=sender_msg_1hr sasl_username='' action=rate(sender/600/3600/421 4.7.1: $$sender: too many messages, try later.) id=sender_msg_24hr sasl_username='' action=rate(sender/1800/86400/421 4.7.1: $$sender: too many messages, try later.) id=sender_rcpt_1min sasl_username='' action=rcpt(sender/360/60/421 4.7.1 $$sender: sending too fast.) id=sender_rcpt_1hr sasl_username='' action=rcpt(sender/1200/3600/421 4.7.1: $$sender: too many recipients, try later.) id=sender_rcpt_24hr sasl_username='' action=rcpt(sender/3600/86400/421 4.7.1: $$sender: too many recipients, try later.)
Thanks for the info Jesse, its a very big help, our main problem is that some client's email users were getting their email password hacked and thus sending out spam from that account, and then our mail server was getting blacklisted because of it.... so we hope to stop these stolen outbound email accounts that are spamming out.... Thanks again, you great!
postfwd can help with high rate spam runs there, but as I mentioned, that's not the norm anymore, we generally see mail trickle in/through from abused accounts. I don't have a good automated solution for that in place, but it would involve spam scanning the outgoing mail and doing some rate limiting combined with spam score (eg. X messages exceed Y score in Z timeframe, that sender starts getting temp rejects, and/or admin notification, and/or lock their password at some point). Also if you could record what a user's normal mail usage is (eg. per day maybe?) and compare current usage with "normal" that might be a useful input into such a system.
Thanks for the help Jesse, we also scan outgoing emails too.... I will also try to do what you suggested... Have a great day!
please, what would be proper way to add policyd to postfix configuration ? (and don't break other features ISPconfig is providing)?
