I do a lot of email submission from my laptop on the road to our corporate email server.
Problem was that rate-control was based on IP addresses, which didn't give me the control that I wanted.
For instance, having the same ClientRate and ClientConn for myself using the submission port (587) as someone else using the smtp port (25) just because we both happened to be on an AT&T wifi hotspot made no sense.
So after an hour or so of investigation, I came up with the following ruleset changes. It rocks.
The default config for sendmail.mc contains either:
DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')dnl
or:
DAEMON_OPTIONS(`Port=smtp, Name=MTA')
if you're running an internet accessible relay, but if you also uncomment (via the 'dnl') from:
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
you've also enabled the submission port.
This patch lets you search the access database for "ClientRate", "ClientConn", and "GreetPause" entries not just based on the IP address, but also on the name of the service ("MSA" versus "MTA" or "MTA-v4").
Hence if I add:
ClientConn:MSA 10
ClientRate:MSA 0
GreetPause:MSA 0
I've specified that for connections on the submission port (which are authenticated), I can have up to 10 simultaneous connections with no incoming connection rate limit and no initial greet-pause.
Which is a good thing, because my defaults are meant to be constraining:
ClientConn: 1
ClientRate: 2
and my sendmail.mc contains:
FEATURE(`greet_pause', `5000')dnl
which are very effective at throttling the Internet in general when someone tries to exploit our server as an open relay or even attempts a DoS attack on it.
(Note the last line could also have been done as: "GreetPause: 5" in my access file).
Now I can connect from wherever I like, and have the same defaults I get on the corporate network:
ClientConn:192.168.1 10
ClientRate:192.168.1 0
GreetPause:192.168.1 0
be applied on the road as well.
I hope you all find this patch useful. I've submitted it as a suggestion to the sendmail maintainers, but they tend to be conservative in accepting 'enhancements', so it might not be integrated.
-Philip
--- sendmail-cf/feature/greet_pause.m4.orig 2004-07-06 14:49:51.000000000 -0600
+++ sendmail-cf/feature/greet_pause.m4 2011-12-19 18:32:18.036025424 -0700
@@ -36,6 +36,7 @@ ifdef(`_ACCESS_TABLE_', `dnl
R$+ $| $+ $: $>D < $1 > <?> <! GreetPause> < $2 >
R $| $+ $: $>A < $1 > <?> <! GreetPause> <> empty client_name
R<?> <$+> $: $>A < $1 > <?> <! GreetPause> <> no: another lookup
+R<?> <$*> $: $>D < $&{daemon_name} > <?> <! GreetPause> < $1 >
ifelse(len(X`'_ARG_),`1',
`R<?> <$*> $@',
`R<?> <$*> $# _ARG_')
--- sendmail-cf/m4/proto.m4.orig 2011-10-24 06:25:58.000000000 -0600
+++ sendmail-cf/m4/proto.m4 2011-12-19 18:34:58.113969993 -0700
@@ -2965,7 +2965,7 @@ ifdef(`_RATE_CONTROL_',`dnl
######################################################################
SRateControl
ifdef(`_ACCESS_TABLE_', `dnl
-R$* $: <A:$&{client_addr}> <E:>
+R$* $: <A:$&{client_addr}> <E:$&{daemon_name}> <E:>
dnl also look up a default value via E:
R$+ $: $>SearchList <! ClientRate> $| $1 <>
dnl found nothing: stop here
@@ -2987,7 +2987,7 @@ ifdef(`_CONN_CONTROL_',`dnl
######################################################################
SConnControl
ifdef(`_ACCESS_TABLE_', `dnl
-R$* $: <A:$&{client_addr}> <E:>
+R$* $: <A:$&{client_addr}> <E:$&{daemon_name}> <E:>
dnl also look up a default value via E:
R$+ $: $>SearchList <! ClientConn> $| $1 <>
dnl found nothing: stop here
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
