Mailing List Archive: exim: users

ratelimit

Index | Next | Previous | View Threaded

jspies at sun

Aug 8, 2008, 3:29 AM

Post #1 of 14 (918 views)
Permalink

ratelimit

I just want to make sure that I understand the documentation on
ratelimit correctly before applying it.

Situation: we have got two 'naughty servers' in our network that
sometimes deliver a lot of email to one of our mail servers e.g.
10902 mails (5473MB) within an a few minutes. We have got three mail
servers but those servers only choose one to deliver their mass mail
to.

I am thinking of using something like this in the data-acl:

defer message = Sender rate exceeds $sender_rate_limit \
messages per $sender_rate_period
ratelimit = 1200M / 1h / per_byte / leaky
hosts = <ip's of naughty hosts>

The last line (hosts) is probably not necessary.

Am I on the right way with this configuration?

Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

"Ye lust, and have not: ye kill, and desire to have,
and cannot obtain: ye fight and war, yet ye have not,
because ye ask not." James 4:2

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

dot at dotat

Aug 8, 2008, 4:28 AM

Post #2 of 14 (885 views)
Permalink

Re: ratelimit [In reply to]

On Fri, 8 Aug 2008, Johann Spies wrote:
>
> I am thinking of using something like this in the data-acl:
>
> defer message = Sender rate exceeds $sender_rate_limit \
> messages per $sender_rate_period
> ratelimit = 1200M / 1h / per_byte / leaky
> hosts = <ip's of naughty hosts>
>
> The last line (hosts) is probably not necessary.
>
> Am I on the right way with this configuration?

Yes, that's fine.

If you decide to use the hosts condition, put it before the ratelimit
condition so that the rate calculation is skipped if the client host is
not in the list. The ratelimit condition accesses a hints database so it
is relatively expensive.

Tony.
--
<fanf [at] exim> <dot [at] dotat> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jspies at sun

Aug 8, 2008, 5:04 AM

Post #3 of 14 (904 views)
Permalink

Re: ratelimit [In reply to]

On Fri, Aug 08, 2008 at 12:28:22PM +0100, Tony Finch wrote:
> On Fri, 8 Aug 2008, Johann Spies wrote:

> >
> > defer message = Sender rate exceeds $sender_rate_limit \
> > messages per $sender_rate_period
> > ratelimit = 1200M / 1h / per_byte / leaky
> > hosts = <ip's of naughty hosts>
>
> Yes, that's fine.
>
> If you decide to use the hosts condition, put it before the ratelimit
> condition so that the rate calculation is skipped if the client host is
> not in the list. The ratelimit condition accesses a hints database so it
> is relatively expensive.

Thanks. So if I do not use the 'hosts' line the lookup will happen
with every email? It is then much more economical to define the hosts
and to use as few as neccesary.

Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

"Ye lust, and have not: ye kill, and desire to have,
and cannot obtain: ye fight and war, yet ye have not,
because ye ask not." James 4:2

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

frettled at gmail

Dec 10, 2011, 4:41 AM

Post #4 of 14 (530 views)
Permalink

Re: Ratelimit [In reply to]

On Fri, Dec 9, 2011 at 22:39, Ian Porter <ian [at] codingfriends> wrote:
>
> Hi All,
>
> I am trying to use the ratelimit to deny any more than 10 emails per
> second. �I have tried adding this to the
> /etc/exim4/exim4.conf.template and also within the
> /etc/exim4/conf.d/acl/10_exim4_config-deny-ratecheck
>
> acl_deny_rate_check_exceptions:
> � �deny ratelimit = 10 / 1s / $primary_hostname
> � � � � �log_message = Sorry, too busy, ratelimit
>
>
> But it does not do anything ? any advice ?

Where do you call that ACL from?

The rate limiting examples I have seen, and those I've used for
implementing them myself, are all placed in acl_check_rcpt, which is
where you want to have a check for per-rcpt limits.

Example for authenticated users:

acl_check_rcpt:

warn ratelimit = 0 / 1h / strict
logwrite = :main: \
Rate: $sender_rate/$sender_rate_period \
$message_id \
$sender_address ($sender_host_name[$sender_host_address]) \
-> $local_part@$domain

# Authenticated users limited to 90 messages per minute
deny authenticated = *
ratelimit = 90 / 1m / strict / ${authenticated_id}_minute
message = Sending rate exceeded, $sender_rate/$sender_rate_period \
(max $sender_rate_limit/$sender_rate_period)
logwrite = :main,reject: \
Rate exceeded: $sender_rate/$sender_rate_period \
(max $sender_rate_limit) $message_id \
$sender_address ($sender_host_name[$sender_host_address]) \
-> $local_part@$domain

Example for a smarthost setup:

# Relayed hosts limited to 180 messages per minute
defer message = Sending rate exceeded, $sender_rate/$sender_rate_period \
(max $sender_rate_limit/$sender_rate_period)
ratelimit = 180 / 1m / ${primary_hostname}_minute
hosts = +relay_from_hosts
logwrite = :main: \
Rate exceeded for remote system:
$sender_rate/$sender_rate_period \
(max $sender_rate_limit) $message_id [$sender_host_address] \
-> $local_part@$domain

--
Jan

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

ian at codingfriends

Dec 12, 2011, 5:56 AM

Post #5 of 14 (531 views)
Permalink

Re: Ratelimit [In reply to]

Hi All,

Nah, does not seem to matter where I place these ratelimits
/etc/exim4/conf.d/30_exim4-config_check_rcpt
or
/etc/exim4/exim4.conf.template

The messages still go through without any problems. Just to make sure
I am trying to send a mail from the local host to an remote email
address will these restrictions apply ? and also log in the
/var/log/exim4/mainlog ?

Regards
Ian
On Sat, Dec 10, 2011 at 12:41 PM, Jan Ingvoldstad <frettled [at] gmail> wrote:
> On Fri, Dec 9, 2011 at 22:39, Ian Porter <ian [at] codingfriends> wrote:
>>
>> Hi All,
>>
>> I am trying to use the ratelimit to deny any more than 10 emails per
>> second. �I have tried adding this to the
>> /etc/exim4/exim4.conf.template and also within the
>> /etc/exim4/conf.d/acl/10_exim4_config-deny-ratecheck
>>
>> acl_deny_rate_check_exceptions:
>> � �deny ratelimit = 10 / 1s / $primary_hostname
>> � � � � �log_message = Sorry, too busy, ratelimit
>>
>>
>> But it does not do anything ? any advice ?
>
> Where do you call that ACL from?
>
> The rate limiting examples I have seen, and those I've used for
> implementing them myself, are all placed in acl_check_rcpt, which is
> where you want to have a check for per-rcpt limits.
>
> Example for authenticated users:
>
> acl_check_rcpt:
>
> �warn ratelimit = 0 / 1h / strict
> � � � logwrite = :main: \
> � � � � � � � � �Rate: $sender_rate/$sender_rate_period \
> � � � � � � � � �$message_id \
> � � � � � � � � �$sender_address ($sender_host_name[$sender_host_address]) \
> � � � � � � � � � -> $local_part@$domain
>
> # Authenticated users limited to 90 messages per minute
> �deny authenticated = *
> � � � ratelimit = 90 / 1m / strict / ${authenticated_id}_minute
> � � � message = Sending rate exceeded, $sender_rate/$sender_rate_period \
> � � � � � � � � (max $sender_rate_limit/$sender_rate_period)
> � � � logwrite = :main,reject: \
> � � � � � � � � �Rate exceeded: �$sender_rate/$sender_rate_period \
> � � � � � � � � �(max $sender_rate_limit) $message_id \
> � � � � � � � � �$sender_address ($sender_host_name[$sender_host_address]) \
> � � � � � � � � � -> $local_part@$domain
>
>
>
> Example for a smarthost setup:
>
> # Relayed hosts limited to 180 messages per minute
> defer message = Sending rate exceeded, $sender_rate/$sender_rate_period \
> � � � � � � � � � � � (max $sender_rate_limit/$sender_rate_period)
> � � �ratelimit = 180 / 1m / ${primary_hostname}_minute
> � � �hosts = +relay_from_hosts
> � � �logwrite = :main: \
> � � � � � � � � � � � �Rate exceeded for remote system:
> $sender_rate/$sender_rate_period \
> � � � � � � � �(max $sender_rate_limit) $message_id [$sender_host_address] \
> � � � � � � � � -> $local_part@$domain
>
> --
> Jan
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
Regards
Ian Porter

www: www.codingfriends.com

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

ian at codingfriends

Dec 12, 2011, 1:10 PM

Post #6 of 14 (539 views)
Permalink

Re: Ratelimit [In reply to]

Hi Darren

Thanks very much

I have just noticed that the
/var/spool/exim4/db/ratelimit.db
has not been created ? and also when I do remove those files to
recreate that directory it does not get created. I am guessing that I
may be missing something ? or do I not need that.

Thanks
Ian

On Mon, Dec 12, 2011 at 4:20 PM, Darran Coy <dcoy [at] lincoln> wrote:
> Hi Ian,
>
>
>
> We�ve been runnin ratelimiting for a few years here.� We�re current;y 4.72.
>
>
>
> Here's all our ratelimiting bits from out config file.� If it helps...
>
>
>
> hostlist�� not_rate_limited = "�� 1.2.3.4"
>
> .
>
> .
>
> .
>
>
>
> #Ratelimit connections to try to eliminate more spam and phishing.
>
> # Darran January 2009
>
> smtp_ratelimit_hosts = *
>
> smtp_ratelimit_mail = 2,0.5s,1.05,4m
>
> smtp_ratelimit_rcpt = 4,0.5s,1.05,4m
>
>
>
> begin acl
>
> .
>
> .
>
> .
>
>
>
> acl_check_rcpt:
>
>
>
> � # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
>
> � # testing for an empty sending host field.
>
>
>
> � accept� hosts = :
>
>
>
> �� ##########################################################
>
> �� #�� New ratelimit stuff Added by Darran 1st March 2009
>
> �� ##########################################################
>
> # Slow down fast remote senders; note the need to truncate $sender_rate
>
> # at the decimal point.
>
> defer message = Sorry, too much work.� Come back later.
>
> �� ratelimit = 45 / 1h / per_rcpt / $sender_address
>
> �� hosts = !+relay_from_hosts : !+not_rate_limited
>
> �� log_message = Ratelimit: REMOTE Per user sender rate limit
> $sender_rate / $sender_rate_period DEFERRED
>
>
>
> # System-wide remote rate limit
>
> defer message = Sorry, too busy. Try again later.
>
> �� ratelimit = 10 / 1s / $primary_hostname
>
> �� hosts = !+relay_from_hosts : !+not_rate_limited
>
> �� log_message = Ratelimit: REMOTE System rate limit exceeded
> $sender_rate / $sender_rate_period DEFERRED
>
>
>
> # Slow down fast LOCAL senders; note the need to truncate $sender_rate
>
> # at the decimal point.
>
> defer message = Sorry, you are too fast. Wait a bit.
>
> �� ratelimit = 200 / 1h / per_rcpt / $sender_address
>
> �� hosts = +relay_from_hosts : !+not_rate_limited
>
> �� log_message = Ratelimit: LOCAL Per user sender rate limit
> $sender_rate / $sender_rate_period DEFERRED
>
>
>
> # System-wide LOCAL rate limit
>
> defer message = Sorry, busy doing other things. Try again later.
>
> �� ratelimit = 20 / 1s / $primary_hostname
>
> �� hosts = +relay_from_hosts : !+not_rate_limited
>
> �� log_message = Ratelimit: LOCAL System rate limit exceeded
> $sender_rate / $sender_rate_period DEFERRED
>
>
>
>
>
> -----Original Message-----
> From: exim-users-bounces+dcoy=lincoln.ac.uk [at] exim
> [mailto:exim-users-bounces+dcoy=lincoln.ac.uk [at] exim] On Behalf Of Ian
> Porter
> Sent: 12 December 2011 13:56
> To: exim-users [at] exim
> Subject: Re: [exim] Ratelimit
>
>
>
> Hi All,
>
>
>
> Nah, does not seem to matter where I place these ratelimits
> /etc/exim4/conf.d/30_exim4-config_check_rcpt
>
> or
>
> /etc/exim4/exim4.conf.template
>
>
>
> The messages still go through without any problems.� Just to make sure I am
> trying to send a mail from the local host to an remote email address will
> these restrictions apply ? and also log in the /var/log/exim4/mainlog ?
>
>
>
> Regards
>
> Ian
>
> On Sat, Dec 10, 2011 at 12:41 PM, Jan Ingvoldstad <frettled [at] gmail>
> wrote:
>
>> On Fri, Dec 9, 2011 at 22:39, Ian Porter <ian [at] codingfriends> wrote:
>
>>>
>
>>> Hi All,
>
>>>
>
>>> I am trying to use the ratelimit to deny any more than 10 emails per
>
>>> second. �I have tried adding this to the
>
>>> /etc/exim4/exim4.conf.template and also within the
>
>>> /etc/exim4/conf.d/acl/10_exim4_config-deny-ratecheck
>
>>>
>
>>> acl_deny_rate_check_exceptions:
>
>>> � �deny ratelimit = 10 / 1s / $primary_hostname
>
>>> � � � � �log_message = Sorry, too busy, ratelimit
>
>>>
>
>>>
>
>>> But it does not do anything ? any advice ?
>
>>
>
>> Where do you call that ACL from?
>
>>
>
>> The rate limiting examples I have seen, and those I've used for
>
>> implementing them myself, are all placed in acl_check_rcpt, which is
>
>> where you want to have a check for per-rcpt limits.
>
>>
>
>> Example for authenticated users:
>
>>
>
>> acl_check_rcpt:
>
>>
>
>> �warn ratelimit = 0 / 1h / strict
>
>> � � � logwrite = :main: \
>
>> � � � � � � � � �Rate: $sender_rate/$sender_rate_period \
>
>> � � � � � � � � �$message_id \
>
>> � � � � � � � � �$sender_address
>
>> ($sender_host_name[$sender_host_address]) \
>
>> � � � � � � � � � -> $local_part@$domain
>
>>
>
>> # Authenticated users limited to 90 messages per minute
>
>> �deny authenticated = *
>
>> � � � ratelimit = 90 / 1m / strict / ${authenticated_id}_minute
>
>> � � � message = Sending rate exceeded,
>
>> $sender_rate/$sender_rate_period \
>
>> � � � � � � � � (max $sender_rate_limit/$sender_rate_period)
>
>> � � � logwrite = :main,reject: \
>
>> � � � � � � � � �Rate exceeded: �$sender_rate/$sender_rate_period \
>
>> � � � � � � � � �(max $sender_rate_limit) $message_id \
>
>> � � � � � � � � �$sender_address
>
>> ($sender_host_name[$sender_host_address]) \
>
>> � � � � � � � � � -> $local_part@$domain
>
>>
>
>>
>
>>
>
>> Example for a smarthost setup:
>
>>
>
>> # Relayed hosts limited to 180 messages per minute defer message =
>
>> Sending rate exceeded, $sender_rate/$sender_rate_period \
>
>> � � � � � � � � � � � (max $sender_rate_limit/$sender_rate_period)
>
>> � � �ratelimit = 180 / 1m / ${primary_hostname}_minute
>
>> � � �hosts = +relay_from_hosts
>
>> � � �logwrite = :main: \
>
>> � � � � � � � � � � � �Rate exceeded for remote system:
>
>> $sender_rate/$sender_rate_period \
>
>> � � � � � � � �(max $sender_rate_limit) $message_id
>
>> [$sender_host_address] \
>
>> � � � � � � � � -> $local_part@$domain
>
>>
>
>> --
>
>> Jan
>
>>
>
>> --
>
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>
>> ## Exim details at http://www.exim.org/ ## Please use the Wiki with
>
>> this list - http://wiki.exim.org/
>
>
>
>
>
>
>
> --
>
> Regards
>
> Ian Porter
>
>
>
> www: www.codingfriends.com
>
>
>
> --
>
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>
> ## Exim details at http://www.exim.org/
>
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>
>
> The University of Lincoln - a top performer in student satisfaction,
> enjoying an unrivalled ascent through the University league tables, set in a
> dynamic, research rich and vibrant campus in the heart of a great historic
> student-friendly city.
>
>
> The information in this e-mail and any attachments may be confidential. If
> you have received this email in error please notify the sender immediately
> and remove it from your system. Do not disclose the contents to another
> person or take copies.
>
> Email is not secure and may contain viruses. The University of Lincoln makes
> every effort to ensure email is sent without viruses, but cannot guarantee
> this and recommends recipients take appropriate precautions.
>
> The University may monitor email traffic data and content in accordance with
> its policies and English law. Further information can be found at:
> http://www.lincoln.ac.uk/legal.

--
Regards
Ian Porter

www: www.codingfriends.com

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

hs at schlittermann

Dec 12, 2011, 1:33 PM

Post #7 of 14 (526 views)
Permalink

Re: Ratelimit [In reply to]

Ian Porter <ian [at] codingfriends> (Mo 12 Dez 2011 22:10:19 CET):
> Hi Darren
>
> Thanks very much
>
> I have just noticed that the
> /var/spool/exim4/db/ratelimit.db
> has not been created ? and also when I do remove those files to
> recreate that directory it does not get created. I am guessing that I
> may be missing something ? or do I not need that.

(I didn't follow the complete thread…)

The directory /var/spool/exim4 needs to exist. The db/ subdirectory will
be created by the Exim process. BUT the /var/spool/exim4/ directory
needs to be writable by the user Exim is running
as. You may check the user:

exim4 -bP exim_user

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: 48D0359B -
gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -

Attachments:

signature.asc (0.19 KB)

ian at codingfriends

Dec 13, 2011, 1:34 AM

Post #8 of 14 (527 views)
Permalink

Re: Ratelimit [In reply to]

Hi Heiko

On Mon, Dec 12, 2011 at 9:33 PM, Heiko Schlittermann
<hs [at] schlittermann> wrote:
> Ian Porter <ian [at] codingfriends> (Mo 12 Dez 2011 22:10:19 CET):
>> Hi Darren
>>
>> Thanks very much
>>
>> I have just noticed that the
>> /var/spool/exim4/db/ratelimit.db
>> has not been created ? and also when I do remove those files to
>> recreate that directory it does not get created. I am guessing that I
>> may be missing something ? or do I not need that.
>
> (I didn't follow the complete thread�)
>
> The directory /var/spool/exim4 needs to exist. The db/ subdirectory will
> be created by the Exim process. BUT the /var/spool/exim4/ directory
> needs to be writable by the user Exim is running
> as. You may check the user:
>
> � �exim4 -bP exim_user
>

Thanks, yeah the directory is being created by the exim process but
the ratelimit db within that directory is not. I am guessing it could
be a switch or option on the exim process to start the ratelimit db ?
or I am missing something from the install.

Regards
Ian

> � �Best regards from Dresden/Germany
> � �Viele Gr��e aus Dresden
> � �Heiko Schlittermann
> --
> �SCHLITTERMANN.de ---------------------------- internet & unix support -
> �Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
> �gnupg encrypted messages are welcome --------------- key ID: 48D0359B -
> �gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 �7E92 EE4E AC98 48D0 359B -
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk7mcx0ACgkQ7k6smEjQNZvKFgCfQVxOYP1nzDOL/sO5rY6yB3Sv
> QMsAoNwqMx3CbXR0Hk2LLtBcxpJZ2G/a
> =gP34
> -----END PGP SIGNATURE-----
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
Regards
Ian Porter

www: www.codingfriends.com

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

graeme at graemef

Dec 13, 2011, 7:34 AM

Post #9 of 14 (530 views)
Permalink

Re: Ratelimit [In reply to]

Hi Ian

On Tue, 2011-12-13 at 09:34 +0000, Ian Porter wrote:
> Thanks, yeah the directory is being created by the exim process but
> the ratelimit db within that directory is not. I am guessing it could
> be a switch or option on the exim process to start the ratelimit db ?
> or I am missing something from the install.

There are two things of significance here:

1. You're using a Debian-derived system, which has a configuration
system which many of the denizens of this list are unfamiliar. There is
a specific list detailed in the docs on Debian-derived systems for
support of Exim on those distros.

2. The reason the ratelimit DB file isn't being created is because the
ratelimit stanza in the ACL you've defined isn't being used - for which,
see (1).

In a nutshell - in order to apply ACL ratelimits, you have to define a
lookup/query/update at an appropriate place in the ACL flow (which
mirrors the SMTP transaction). If you drop a file in which is included
in the config *after* an explicit or implicit "accept" in that ACL, the
ratelimit will never happen.

I hope that helps,

Graeme

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

hs at schlittermann

Dec 13, 2011, 10:46 AM

Post #10 of 14 (522 views)
Permalink

Re: Ratelimit [In reply to]

Ian Porter <ian [at] codingfriends> (Di 13 Dez 2011 10:34:33 CET):
> >
> > (I didn't follow the complete thread…)
> >
> > The directory /var/spool/exim4 needs to exist. The db/ subdirectory will
> > be created by the Exim process. BUT the /var/spool/exim4/ directory
> > needs to be writable by the user Exim is running
> > as. You may check the user:
> >
> > exim4 -bP exim_user
> >
>
> Thanks, yeah the directory is being created by the exim process but
> the ratelimit db within that directory is not. I am guessing it could
> be a switch or option on the exim process to start the ratelimit db ?
> or I am missing something from the install.

Just wild guessing: The ratelimit.db gets created on its first usage.

--
Heiko

Attachments:

signature.asc (0.19 KB)

ian at codingfriends

Dec 13, 2011, 2:27 PM

Post #11 of 14 (524 views)
Permalink

Re: Ratelimit [In reply to]

Hi All

Thanks very much for the help, shall try out the different ideas when
I get back to the computer.

Thanks
Ian

On Tue, Dec 13, 2011 at 6:46 PM, Heiko Schlittermann
<hs [at] schlittermann> wrote:
> Ian Porter <ian [at] codingfriends> (Di 13 Dez 2011 10:34:33 CET):
>> >
>> > (I didn't follow the complete thread…)
>> >
>> > The directory /var/spool/exim4 needs to exist. The db/ subdirectory will
>> > be created by the Exim process. BUT the /var/spool/exim4/ directory
>> > needs to be writable by the user Exim is running
>> > as. You may check the user:
>> >
>> > exim4 -bP exim_user
>> >
>>
>> Thanks, yeah the directory is being created by the exim process but
>> the ratelimit db within that directory is not. I am guessing it could
>> be a switch or option on the exim process to start the ratelimit db ?
>> or I am missing something from the install.
>
> Just wild guessing: The ratelimit.db gets created on its first usage.
>
> --
> Heiko
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk7nnXAACgkQ7k6smEjQNZsn1ACglMN3wbS0Qn5Z1aAp7AQ5DRPj
> nb8Anjg乭ᝏ�츁ꏭ㰬ሻ郤ኑ
> =Ngve
> -----END PGP SIGNATURE-----
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
Regards
Ian Porter

www: www.codingfriends.com

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jgh at wizmail

Jul 22, 2013, 2:21 PM

Post #12 of 14 (109 views)
Permalink

Re: Ratelimit [In reply to]

On 07/22/2013 09:59 PM, Matt wrote:
> I have this to slow fast senders.
>
> warn ratelimit = 100 / 1h / per_rcpt / strict
> delay = ${eval: ${sg{$sender_rate}{[.].*}{}} -
> $sender_rate_limit }s
>
> I would like to NOT enforce this on authenticated senders since I am
> slowing them elsewhere. I imagine I need to add this (!authenticated
> = *) somewhere but where?

Just after the word "warn".
--
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

hs at schlittermann

Jul 22, 2013, 2:30 PM

Post #13 of 14 (109 views)
Permalink

Re: Ratelimit [In reply to]

Matt <matt.mailinglists [at] gmail> (Mo 22 Jul 2013 22:59:21 CEST):
> I have this to slow fast senders.
>
> warn ratelimit = 100 / 1h / per_rcpt / strict
> delay = ${eval: ${sg{$sender_rate}{[.].*}{}} -
> $sender_rate_limit }s
>
> I would like to NOT enforce this on authenticated senders since I am
> slowing them elsewhere. I imagine I need to add this (!authenticated
> = *) somewhere but where?

warn !authenticated = *
ratelimit = 100 / 1h / per_rcpt / strict
delay = ${eval: ${sg{$sender_rate}{[.].*}{}} - $sender_rate_limit}s

should do it. The order matters. The ratelimit condition should be
evaled *after* the authenticated check, otherwise even the authenticated
connections will count.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
gnupg fingerprint: 9288 F17D BBF9 9625 5ABC 285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B)-

Attachments:

signature.asc (0.83 KB)

frettled at gmail

Jul 22, 2013, 2:40 PM

Post #14 of 14 (110 views)
Permalink

Re: Ratelimit [In reply to]

On Mon, Jul 22, 2013 at 11:21 PM, Jeremy Harris <jgh [at] wizmail> wrote:

> On 07/22/2013 09:59 PM, Matt wrote:
>
>> I have this to slow fast senders.
>>
>> warn ratelimit = 100 / 1h / per_rcpt / strict
>> delay = ${eval: ${sg{$sender_rate}{[.].*}{}} -
>> $sender_rate_limit }s
>>
>> I would like to NOT enforce this on authenticated senders since I am
>> slowing them elsewhere. I imagine I need to add this (!authenticated
>> = *) somewhere but where?
>>
>
> Just after the word "warn".

As I understand it:

Please also note that because you have specified "strict" rather than
leaving the default "leaky" ratelimiting, this not merely takes
_successful_ sending attempts into account, but also unsuccessful attempts.

This is a bit of a gotcha.

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#ratoptfast
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads