Limit outgoing emails, postfwd?

Discussion in 'Installation/Configuration' started by rob_morin, Oct 26, 2015.

  1. rob_morin

    rob_morin Member HowtoForge Supporter

    Hello, i have some clients that use week email passwords and the result being someone spams out form our mail server lots of crap. I am wondering if anyone here has used postfwd or something else to limit outgoing email to something like 25 recipients per hour or something like this..

    Thanks..
     
  2. Jesse Norell

    Jesse Norell Active Member

    I've used postfwd on other servers, and it does that job nicely. I've seen another tool suggested for that around the forums/bug tracker here (don't remember the name, it was some policy daemon) that I intend to check into "soon," but probably not in a timely enough manner to help you now.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

  4. rob_morin

    rob_morin Member HowtoForge Supporter

    Hey Jesse, i install postfwd, but cannot seem to get the rules working correctly..
    I have this rule and when i enable it, every email gets rejected rather than what its suppose to do, any idea as to why?
    id=RULE003
    sasl_username=~/^(\S+)$/
    action=rcpt(sasl_username/10/30/REJECT only 10 recipients per 30 mins for $$sasl_username)
     
  5. Jesse Norell

    Jesse Norell Active Member

    This is a 30 second rule I'm using in production:
    Code:
    id=sasl_rcpt_30sec
      sasl_username=~$$sender
      action=rcpt(sasl_username/960/30/421 4.7.1: $$sasl_username: sending too fast.)
    You'll find 10 recipients per 30 seconds unacceptably low for any normal system. Eg. a single message will quite often exceed that (send this joke to all my friends....). Maybe a special purpose mail server could get away with it.
     
  6. Jesse Norell

    Jesse Norell Active Member

    On a related note, I intend to incorporate some rate limiting into ispconfig; I wanted to look at policyd (yes @till, I think that's the one), and use it if it seems preferable, or otherwise use postfwd. Probably I'd publish a howto/article first (or post to the tips forum), and work on proper integration in ispconfig later. My timeframe for this type of thing is more in weeks than days, but hopefully can have some ispconfig specific setup eventually.
     
  7. rob_morin

    rob_morin Member HowtoForge Supporter

    Lol, i messed up the seconds for minutes in my rule!!!!!!!

    So your saying 960 emails in 30 seconds??
     
  8. rob_morin

    rob_morin Member HowtoForge Supporter

    So in this log exert does this say this user sent only one email in last 5 mins?

    Oct 29 12:34:28 peter postfwd2/policy[13500]: updating parent rate limit object 'CMD=S2;TYPE=rate;ITEM=sasl_username=[email protected][email protected][email protected]446136768.54117///action=421 4.7.1: [email protected]: sending too fast.'
     
  9. rob_morin

    rob_morin Member HowtoForge Supporter

    ok with a dumpstats i see this... So i guess this IP is getting that 450 message now? lol

    %rate_cache -> %client_address=201.74.120.118 -> @list -> 'RULE001+7_300'
    %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @action -> '450 4.7.1 only 7 recipients per 5 minutes allowed'
    %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @count -> '1'
    %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @maxcount -> '7'
    %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @rule -> 'RULE001'
    %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @TimE -> '1446137731.49025'
    %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @ttl -> '300'
    %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @type -> 'rate'
    %rate_cache -> %client_address=201.74.120.118 -> %RULE001+7_300 -> @until -> '1446138031.49025'
     
  10. Jesse Norell

    Jesse Norell Active Member

    960 recipients in 30 seconds for a given authenticated sender address (this is on a hosting server with ~100 domains). We've run into issues with eg. billing software that sends to hundreds of users, some people using large bcc lists instead of a mailing list, and I think some other "legitimate use" scenario. You could surely add an exemption for individual senders and/or client ip addrs, but we bumped limits up to where it worked for all our legitimate senders.
    We use numerous rules, for client ip, limit by sender, limit by recipient, and all in different rates - the idea being to accommodate legitimate short term bursts, but ratchet down pretty quickly over some longer time ranges. You have to account for system use (eg. any spam training accounts, webmail, localhost usage, etc.), which in ispconfig will probably vary depending on local setup... so not an easy "here, just do this".
    All these rate limits used to be much more effective; spammers change tactics and we rarely get spam runs that are a high enough rate to hit the postfwd limits nowadays.

    Here's the full config from this particular hosting server (we may have a few servers with some additional useful config) -- Note, this is on a DTC server, NOT an ispconfig server:
    Code:
    ##
    ## Definitions
    ##
    
    # redefine these in postfwd-local.cf if needed
    
    # Business Hours
    &&BUSINESS_HOURS {
      days=Mon-Fri
      time=07:15:00 - 18:45:00
    };
    
    # Busy Hours
    &&BUSY {
      days=Mon-Fri
      time=05:45:00 - 18:45:00
    };
    
    # !!&&BUSY doesn't look to work right, so create 2 rules with:
    &&WEEKEND {
      !!days=Mon-Fri
    };
    &&SLOW {
      days=Mon-Fri
      !!time=05:45:00 - 18:45:00
    }
    
    
    ##
    ## Postfwd limits for System accounts
    ##
    
    # Spam Trainer
    id=spam_trainer_sender_15sec
      client_address=127.0.0.1
      recipient=(ham|spam)@mx.dtc1.domain.com
      action=rate(sender/300/15/421 4.7.1 Slow down there, $$sender.)
    id=spam_trainer_recip_30sec
      client_address=127.0.0.1
      recipient=(ham|spam)@mx.dtc1.domain.com
      action=rate(recipient/600/30/421 4.7.1 Slow down there, $$sender.)
    id=spam_trainer_recip_5min
      client_address=127.0.0.1
      recipient=(ham|spam)@mx.dtc1.domain.com
      action=rate(recipient/1200/300/421 4.7.1 Slow down there, $$sender.)
    id=spam_trainer_recip_1hr
      client_address=127.0.0.1
      recipient=(ham|spam)@mx.dtc1.domain.com
      action=rate(recipient/3600/3600/421 4.7.1 Slow down there, $$sender.)
    id=spam_trainer_ok
      client_address=127.0.0.1
      recipient=(ham|spam)@mx.dtc1.domain.com
      action=OK
    
    ##
    ## Client IP Message Rate Limits
    ##
    
    # webmail comes in from localhost (127.0.0.1),
    # as does other website-generated traffic
    
    id=ip_msg_slow_15sec
      &&SLOW
      client_address!=127.0.0.1
      action=rate(client_address/150/15/421 4.7.1: $$client_address: sending too fast.)
    id=ip_msg_weekend_15sec
      &&WEEKEND
      client_address!=127.0.0.1
      action=rate(client_address/150/15/421 4.7.1: $$client_address: sending too fast.)
    id=ip_msg_slow_60sec
      &&SLOW
      client_address!=127.0.0.1
      action=rate(client_address/360/60/421 4.7.1: $$client_address: sending too fast.)
    id=ip_msg_weekend_60sec
      &&WEEKEND
      client_address!=127.0.0.1
      action=rate(client_address/360/60/421 4.7.1: $$client_address: sending too fast.)
    
    #  allow localhost here (good ? bad ?)
    id=ip_msg_10min
      action=rate(client_address/600/600/421 4.7.1: $$client_address: sending too fast.)
    
    id=ip_msg_3hr
      client_address!=127.0.0.1
      action=rate(client_address/1800/10800/421 4.7.1: $$client_address: too many messages, try later.)
    id=ip_msg_24hr
      client_address!=127.0.0.1
      action=rate(client_address/3600/86400/421 4.7.1: $$client_address: too many messages, try later.)
    id=ip_msg_72hr
      client_address!=127.0.0.1
      action=rate(client_address/7200/259200/421 4.7.1: $$client_address: too many messages, try later.)
    
    ##
    ## Client IP Recipient Rate Limits
    ##
    
    id=ip_rcpt_busy_30sec
      client_address!=127.0.0.1
      action=rcpt(client_address/421/30/421 4.7.1: $$client_address: sending too fast.)
    id=ip_rcpt_5min
      client_address!=127.0.0.1
      action=rcpt(client_address/600/300/421 4.7.1: $$client_address: sending too fast.)
    
    #  allow localhost here with temp reject
    id=ip_rcpt_10min
      action=rcpt(client_address/1800/600/421 4.7.1: $$client_address: sending too fast.)
    
    id=ip_rcpt_1hr
      client_address!=127.0.0.1
      action=rcpt(client_address/3600/3600/421 4.7.1: $$client_address: too many recipients, try later.)
    id=ip_rcpt_24hr
      client_address!=127.0.0.1
      action=rcpt(client_address/14400/86400/421 4.7.1: $$client_address: too many recipients, try later.)
    
    
    ##
    ## SASL Auth Message Rate Limits
    ##
    
    id=sasl_msg_30sec
      sasl_username=~$$sender
      action=rate(sasl_username/360/30/421 4.7.1: $$sasl_username: sending too fast.)
    id=sasl_msg_3hr
      sasl_username=~$$sender
      action=rate(sasl_username/1080/10800/421 4.7.1: $$sasl_username: too many messages, try later.)
    id=sasl_msg_24hr
      sasl_username=~$$sender
      action=rate(sasl_username/1800/86400/421 4.7.1: $$sasl_username: too many messages, try later.)
    id=sasl_msg_72hr
      sasl_username=~$$sender
      action=rate(sasl_username/3600/259200/421 4.7.1: $$sasl_username: too many messages, try later.)
    
    # sasl authenticated, different sender addr:
    #id=sasl_diff_msg_60sec
    #  sasl_username!=''; sasl_username!=$$sender
    #  action=rate(sasl_username/120/60/421 4.7.1: $$sasl_username: sending too fast.)
    
    
    # SASL Auth Recipient Rate Limits
    
    id=sasl_rcpt_30sec
      sasl_username=~$$sender
      action=rcpt(sasl_username/960/30/421 4.7.1: $$sasl_username: sending too fast.)
    id=sasl_rcpt_busy_3hr
      sasl_username=~$$sender
      action=rcpt(sasl_username/1800/10800/421 4.7.1: $$sasl_username: too many recipients, try later.)
    id=sasl_rcpt_slow_3hr
      &&SLOW
      sasl_username=~$$sender
      action=rcpt(sasl_username/600/10800/421 4.7.1: $$sasl_username: too many recipients, try later.)
    id=sasl_rcpt_weekend_3hr
      &&WEEKEND
      sasl_username=~$$sender
      action=rcpt(sasl_username/600/10800/421 4.7.1: $$sasl_username: too many recipients, try later.)
    id=sasl_rcpt_24hr
      sasl_username=~$$sender
      action=rcpt(sasl_username/3600/86400/421 4.7.1: $$sasl_username: too many recipients, try later.)
    id=sasl_rcpt_72hr
      sasl_username=~$$sender
      action=rcpt(sasl_username/7200/259200/421 4.7.1: $$sasl_username: too many recipients, try later.)
    
    
    # Sender Addr Limits (non-authenticated senders)
    
    id=sender_msg_45sec
      sasl_username=''
      action=rate(sender/180/30/421 4.7.1 $$sender: sending too fast.)
    id=sender_msg_10min
      sasl_username=''
      action=rate(sender/300/600/421 4.7.1 $$sender: sending too fast, try later.)
    id=sender_msg_slow_30min
      &&SLOW
      sasl_username=''
      action=rate(sender/360/1800/421 4.7.1: $$sender: too many messages, try later.)
    id=sender_msg_weekend_30min
      &&WEEKEND
      sasl_username=''
      action=rate(sender/360/1800/421 4.7.1: $$sender: too many messages, try later.)
    id=sender_msg_1hr
      sasl_username=''
      action=rate(sender/600/3600/421 4.7.1: $$sender: too many messages, try later.)
    id=sender_msg_24hr
      sasl_username=''
      action=rate(sender/1800/86400/421 4.7.1: $$sender: too many messages, try later.)
    
    id=sender_rcpt_1min
      sasl_username=''
      action=rcpt(sender/360/60/421 4.7.1 $$sender: sending too fast.)
    id=sender_rcpt_1hr
      sasl_username=''
      action=rcpt(sender/1200/3600/421 4.7.1: $$sender: too many recipients, try later.)
    id=sender_rcpt_24hr
      sasl_username=''
      action=rcpt(sender/3600/86400/421 4.7.1: $$sender: too many recipients, try later.)
    
     
  11. rob_morin

    rob_morin Member HowtoForge Supporter

    Thanks for the info Jesse, its a very big help, our main problem is that some client's email users were getting their email password hacked and thus sending out spam from that account, and then our mail server was getting blacklisted because of it.... so we hope to stop these stolen outbound email accounts that are spamming out....

    Thanks again, you great!
     
  12. Jesse Norell

    Jesse Norell Active Member

    postfwd can help with high rate spam runs there, but as I mentioned, that's not the norm anymore, we generally see mail trickle in/through from abused accounts. I don't have a good automated solution for that in place, but it would involve spam scanning the outgoing mail and doing some rate limiting combined with spam score (eg. X messages exceed Y score in Z timeframe, that sender starts getting temp rejects, and/or admin notification, and/or lock their password at some point). Also if you could record what a user's normal mail usage is (eg. per day maybe?) and compare current usage with "normal" that might be a useful input into such a system.
     
  13. rob_morin

    rob_morin Member HowtoForge Supporter

    Thanks for the help Jesse, we also scan outgoing emails too.... I will also try to do what you suggested...
    Have a great day!
     

Share This Page