Rate Limiting with Postfix not found under Server Config

Discussion in 'Installation/Configuration' started by emaddaou, May 26, 2022.

  1. emaddaou

    emaddaou New Member

    Dear ISPConfig Dev,
    I had a very interesting question by one of our Assembly members:
    How do you limit Assembly Officers of sending mass emails or certain number of Emails per hour?
    So, I logged in to the backend of ISPConfig under Server Config > Mail tab and there is no option I can spot to do the job. So, a quick search online and I was able to find the postfix options required to do the job. However, I wanted to verify with you before calling that's it! Please check the following link: https://beamtic.com/rate-limiting-postfix
    Based on that article, I have added the anvil_rate_time_unit option under smtpd_client_message_rate_limit rule at postfix main.cf file. The smtpd_client_message_rate_limit rule was set at 100 and I changed it to 50 instead, and set the time unit limit to 1 hour.
    What do you think?
    # Outgoing message rate limit for users
    smtpd_client_message_rate_limit = 50
    anvil_rate_time_unit = 3600s
    1. Is there a way to adjust those rules using the GUI, if yes where? Since the only place made sense to me is under Server Config > Mail tab
    2. If there is no GUI option to alter the upper postfix rules using GUI, is it safe or okay to alter the config file manually? If it's okay yes, will that be override by any means like GUI saving new settings under Server Config?
    Maybe there is another location I can put my custom postfix rules and won't be effected by ISPConfig GUI saving settings function?

    Here are some suggestions by Nextcloud Mail client App to limit the rate, not sure what is the best rate ISPConfig would recommend:
    Anti-abuse alerts
    The app can write alerts to the logs when users send messages to a high number of recipients or sends a high number of messages for a short period of time. These events might indicate that the account is abused for sending spam messages.
    To enable anti-abuse alerts, you'll have to set a few configuration options via occ.
    # Turn alerts on
    occ config:app:set mail abuse_detection --value=on
    # Turn alerts off
    occ config:app:set mail abuse_detection --value=off
    # Alert when 50 or more recipients are used for one single message
    occ config:app:set mail abuse_number_of_recipients_per_message_threshold --value=50
    # Alerts can be configured for three intervals: 15m, 1h and 1d
    # Alert when more than 10 messages are sent in 15 minutes
    occ config:app:set mail abuse_number_of_messages_per_15m --value=10
    # Alert when more than 30 messages are sent in one hour
    occ config:app:set mail abuse_number_of_messages_per_1h --value=30
    # Alert when more than 100 messages are sent in one day
    occ config:app:set mail abuse_number_of_messages_per_1d --value=100
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    To mimic the nextcloud settings you would need to use something more configurable like postfwd or rspamd rate limiting, there are examples of both in the forum and/or issue tracker. In our systems I leave the postfix limits higher, as they apply to all domains/users on the server, then set more restrictive limits per-user and per-domain with postfwd. (I'd like to switch to rspamd rate limiting but haven't yet.)

    Regarding the postfix settings, the ISPConfig template sets 'smtpd_client_message_rate_limit = 100' so you will need to set that in /usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master if you change it.
    Last edited: May 26, 2022
  3. emaddaou

    emaddaou New Member

    Hello Jesse, thank you for your prompt response. I couldn't find the file you mentioned
    I had to create it and I added the below rules, but I removed them from the main.cf file except the smtpd_client_message_rate_limit value since it was there.
    How that custom file works? Does it override or has more priority over the main.cf file values?
    Please let me know if the values I added below in the file is okay.
    Besides, I would like also to know the rspamd way you mentioned. Please let me know when you do the switch :0)
    Overall, do you recommend those values below? I guess it's cases basis. Will appreciate if you have something in mind you recommend.
    root@mail:~# cat /usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master
    # Outgoing message rate limit for users
    smtpd_client_message_rate_limit = 120 >>> Will that override the main one at main.cf file?
    anvil_rate_time_unit = 3600s >>> This is new and I could not find it at main.cf file
    # All the below rules are not under main.cf file but I have added them here.
    smtpd_sasl_exceptions_networks = $mynetworks
    smtpd_client_connection_rate_limit = 100
    smtpd_client_new_tls_session_rate_limit = 100
    smtpd_client_recipient_rate_limit = 100
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    See https://www.howtoforge.com/communit...-for-custom-postfix-and-dovecot-config.86559/ and https://www.howtoforge.com/community/threads/ratelimiting-with-ispconfig-3-and-rspamd.88018/
  5. emaddaou

    emaddaou New Member

    Hey Thom, that's awesome dude, the first thing came to my mind is: can I use that custom file for Dovecot ssl entries as well? For example: here what I have inside main Dovecot config file for ssl values and every time I run ispconfig_update it will get overwritten.
    I hope in this case I can use my own ssl files inside the /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master instead of keep putting these entries back into the original dovecot config file.
    Note: So what usually do, is appendeding the original ssl entries using # hash sign and I used my ssl files since they represent the imap.georgianationals.org as I wanted instead of the original ssl entries which they represent the server name mail.georgianationals.org and I wanted imap instead of mail.
    # Do not change this file, as changes will be overwritten by any ISPConfig update.
    # Put your custom settings in /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master.
    # To start using those changes, do a force upgrade and let it reconfigure your services. (ispconfig_update.sh --force)
    listen = *,[::]
    protocols = imap pop3 lmtp sieve
    auth_mechanisms = plain login
    disable_plaintext_auth = no
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    mail_privileged_group = vmail
    ssl_cert = </etc/letsencrypt/live/imap.georgianationals.org/fullchain.pem
    ssl_key = </etc/letsencrypt/live/imap.georgianationals.org/privkey.pem
    #ssl_cert = </etc/postfix/smtpd.cert
    #ssl_key = </etc/postfix/smtpd.key
    ssl_dh = </etc/dovecot/dh.pem
    However, I don't have that ssl files location issue with postfix. For postfix, I just run the following command after preparing the certs and it never get overwritten with ispconfig_update
    # for Postfix
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/smtp.georgianationals.org/fullchain.pem smtpd.cert
    ln -s /etc/letsencrypt/live/smtp.georgianationals.org/privkey.pem smtpd.key
    service postfix restart
  6. emaddaou

    emaddaou New Member

    Thank you again ISPConfig, to wrap this up. I have added the following to rspamd snippet as well. Should I use only rspamd to limit the rate or can I use both rspamd and postfix at the same time as backup to limit the rate? I created the file ratelimit.conf since it was not there and added Thom snippet, tested the config, and restart the service.
    If postfix not recommended to be used or can't be used along with rspamd ratelimit, what would be equal to postfix config values below in rspamd language? Thank you, all!
    # Outgoing message rate limit for users
    smtpd_client_message_rate_limit = 120
    anvil_rate_time_unit = 3600s
    Rspamd snippet
    root@mail:~# cat /etc/rspamd/local.d/ratelimit.conf
    rates {
            user = {
                    bucket = [
                            burst = 10;
                            rate = "8 / 1m";
                            burst = 20;
                            rate = "10 / 10m";
                            burst = 120;
                            rate = "100 / 1h";
    root@mail:~# rspamadm configtest
    CPU doesn't have SSSE3 instructions set required for hyperscan, disable it
    symbol 'RAMBLER_URIBL' has its score defined but there is no corresponding rule registered
    symbol 'RBL_SARBL_BAD' has its score defined but there is no corresponding rule registered
    symbol 'URIBL_SBL_CSS' has its score defined but there is no corresponding rule registered
    symbol 'RAMBLER_EMAILBL' has its score defined but there is no corresponding rule registered
    symbol 'URIBL_SBL' has its score defined but there is no corresponding rule registered
    syntax OK
    root@mail:~# systemctl restart rspamd.service
    root@mail:~# systemctl status rspamd.service
    ● rspamd.service - rapid spam filtering system
       Loaded: loaded (/lib/systemd/system/rspamd.service; enabled; vendor preset: enabled)
       Active: active (running) since Sat 2022-05-28 02:25:01 EDT; 5s ago
         Docs: https://rspamd.com/doc/
     Main PID: 2795 (rspamd)
        Tasks: 7 (limit: 4915)
       Memory: 205.8M
       CGroup: /system.slice/rspamd.service
               ├─2795 rspamd: main process
               ├─2833 rspamd: rspamd_proxy process (localhost:11332)
               ├─2834 rspamd: controller process (localhost:11334)
               ├─2835 rspamd: normal process (localhost:11333)
               ├─2836 rspamd: normal process (localhost:11333)
               ├─2837 rspamd: normal process (localhost:11333)
               └─2838 rspamd: normal process (localhost:11333)
    May 28 02:25:01 mail systemd[1]: Started rapid spam filtering system.
    May 28 02:25:01 mail rspamd[2795]: 2022-05-28 02:25:01 #2795(main) <81f64c>; main; main: rspamd 3.2 is loading configuration, build id: release

Share This Page