to disable the restriction for authorized clients. Most
work is implemented by a new "anvil" server. Parameters:
smtpd_client_connection_count_limit, smtpd_client_connection-
- _rate_limit, smtpd_client_connection_limit_exceptions,
- connection_rate_time_unit, and connection_rate_purge_delay.
- Documentation: smtpd(8), anvil(8), sample-smtpd.cf. Files:
- smtpd/smtpd.c, global/anvil_clnt.[hc], anvil/anvil.c. The
- anvil server logs peak count and rate information per client
- when it terminates after running out of work or after
- "postfix reload".
+ _rate_limit, smtpd_client_connection_limit_exceptions, and
+ client_connection_rate_time_unit. Documentation: smtpd(8),
+ anvil(8), sample-smtpd.cf. Files: smtpd/smtpd.c,
+ global/anvil_clnt.[hc], anvil/anvil.c. The anvil server
+ logs peak count and rate information per client when it
+ terminates after running out of work or after "postfix
+ reload".
20031110
address). This is useful as a catch-all pattern at the
end of a table. Files: util/dict_cidr.c, util/match_ops.c.
+20031112
+
+ Feature: client_connection_status_update_time parameter
+ controls periodic logging of maximal connection counts or
+ rates. The default logging interval is 10 minutes.
+
Open problems:
High: when virtual aliasing is turned off after content
per time unit that a client is allowed to make.
The new anvil server maintains the connection statistics, and logs
-the maximum connection count and connection rate per client whenever
+the maximum connection count and connection rate per client every
+client_connection_status_update_time seconds (10 minutes), or when
it terminates (when there is no work to be done, or when "postfix
reload" was issued). Once you have an idea what the numbers look
like, you can clamp down the limits for your system.
connection_count_limit for the number of simultaneous connections
per client, and smtpd_client_connection_rate_limit for the number
of successive connections per unit time and client. The time unit
-is specified with the connection_rate_time_unit parameter, and is
-one minute by default.
+is specified with the client_connection_rate_time_unit parameter,
+and is one minute by default.
When Postfix rejects a client, it sends a 450 status code and
disconnects, and logs a warning with the client name/address and
#
# # Bounce friend@whatever, except when whatever is our domain (you would
# # be better just bouncing all friend@ mail - this is just an example).
-# /^friend@(?!my\.domain)/ 550 Stick this in your pipe $0
+# /^(friend@(?!my\.domain$).*)$/ 550 Stick this in your pipe $1
#
# # A multi-line entry. The text is sent as one line.
# #
# connection attempts any client is allowed to make to this service
# per time unit.
#
-# The time unit is specified with the connection_rate_time_unit
+# The time unit is specified with the client_connection_rate_time_unit
# configuration parameter, and defaults to one minute.
#
# By default, every client can make as many connections as Postfix
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
- Upon process exit, the server logs the maximal count and
- rate values measured, together with (service, client) and
- time associated with those events.
+ Upon exit, and every <b>client_connection_status_update_time</b>
+ seconds, the server logs the maximal count and rate values
+ measured, together with (service, client) information and
+ the time of day associated with those events.
<b>BUGS</b>
- Systems behind network address translating routers or
+ Systems behind network address translating routers or
proxies appear to have the same client address and can run
into connection count and/or rate limits falsely.
In this preliminary implementation, a count (or rate) lim-
- ited server can have only one remote client at a time. If
- a server reports multiple simultaneous clients, all but
+ ited server can have only one remote client at a time. If
+ a server reports multiple simultaneous clients, all but
the last reported client are ignored.
<b>CONFIGURATION PARAMETERS</b>
- The following <b>main.cf</b> parameters are especially relevant
- to this program. Use the <b>postfix reload</b> command after a
+ The following <b>main.cf</b> parameters are especially relevant
+ to this program. Use the <b>postfix reload</b> command after a
configuration change.
- <b>connection_rate_time_unit</b>
- The unit of time over which connection rates are
+ <b>client_connection_rate_time_unit</b>
+ The unit of time over which connection rates are
calculated.
+ <b>client_connection_status_update_time</b>
+ Time interval for logging the maximal connection
+ count and connection rate information.
+
<b>SEE ALSO</b>
<a href="smtpd.8.html">smtpd(8)</a> Postfix SMTP server
-<html> <
head> </head> <body> <pre>
+<html> <body> <pre>
PCRE_TABLE(5) PCRE_TABLE(5)
<b>NAME</b>
# Bounce friend@whatever, except when whatever is our domain (you would
# be better just bouncing all friend@ mail - this is just an example).
- /^friend@(?!my\.domain)/ 550 Stick this in your pipe $0
+ /^(friend@(?!my\.domain$).*)$/ 550 Stick this in your pipe $1
# A multi-line entry. The text is sent as one line.
#
# Bounce friend@whatever, except when whatever is our domain (you would
# be better just bouncing all friend@ mail - this is just an example).
-/^friend@(?!my\\.domain)/ 550 Stick this in your pipe $0
+/^(friend@(?!my\\.domain$).*)$/ 550 Stick this in your pipe $1
# A multi-line entry. The text is sent as one line.
#
.fi
Problems and transactions are logged to \fBsyslogd\fR(8).
-Upon process exit, the server logs the maximal count and rate
-values measured, together with (service, client) and time
+Upon exit, and every \fBclient_connection_status_update_time\fR
+seconds, the server logs the maximal count and rate values measured,
+together with (service, client) information and the time of day
associated with those events.
.SH BUGS
.ad
The following \fBmain.cf\fR parameters are especially relevant to
this program. Use the \fBpostfix reload\fR command after
a configuration change.
-.IP \fBconnection_rate_time_unit\fR
+.IP \fBclient_connection_rate_time_unit\fR
The unit of time over which connection rates are calculated.
+.IP \fBclient_connection_status_update_time\fR
+Time interval for logging the maximal connection count
+and connection rate information.
.SH SEE ALSO
.na
.nf
#
# # Bounce friend@whatever, except when whatever is our domain (you would
# # be better just bouncing all friend@ mail - this is just an example).
-# /^friend@(?!my\\.domain)/ 550 Stick this in your pipe $0
+# /^(friend@(?!my\\.domain$).*)$/ 550 Stick this in your pipe $1
#
# # A multi-line entry. The text is sent as one line.
# #
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/*
-/* Upon process exit, the server logs the maximal count and rate
-/* values measured, together with (service, client) and time
+/* Upon exit, and every \fBclient_connection_status_update_time\fR
+/* seconds, the server logs the maximal count and rate values measured,
+/* together with (service, client) information and the time of day
/* associated with those events.
/* BUGS
/* Systems behind network address translating routers or proxies
/* The following \fBmain.cf\fR parameters are especially relevant to
/* this program. Use the \fBpostfix reload\fR command after
/* a configuration change.
-/* .IP \fBconnection_rate_time_unit\fR
+/* .IP \fBclient_connection_rate_time_unit\fR
/* The unit of time over which connection rates are calculated.
+/* .IP \fBclient_connection_status_update_time\fR
+/* Time interval for logging the maximal connection count
+/* and connection rate information.
/* SEE ALSO
/* smtpd(8) Postfix SMTP server
/* LICENSE
/* Application-specific. */
int var_anvil_time_unit;
+int var_anvil_stat_time;
/*
* State.
static BINHASH *anvil_local_map; /* indexed by local client handle */
/*
- * Absent a real-time query interface, these are logged at process exit
- * time.
+ * Absent a real-time query interface, these are logged at process exit time
+ * and at regular intervals.
*/
static int max_count;
static char *max_count_user;
static void post_jail_init(char *unused_name, char **unused_argv)
{
+ static void anvil_status_update(int, char *);
+
+ /*
+ * Dump and reset extreme usage every so often.
+ */
+ event_request_timer(anvil_status_update, (char *) 0, var_anvil_stat_time);
/*
* Initial client state tables.
var_use_limit = 0;
}
-/* anvil_status_dump - log the extremes before terminating */
+/* anvil_status_dump - log and reset extreme usage */
static void anvil_status_dump(char *unused_name, char **unused_argv)
{
- if (max_rate > 0)
- msg_info("statistics: maximal rate %d/%ds for (%s) at %.15s",
+ if (max_rate > 1) {
+ msg_info("statistics: max connection rate %d/%ds for (%s) at %.15s",
max_rate, var_anvil_time_unit,
max_rate_user, ctime(&max_rate_time) + 4);
- if (max_count > 0)
- msg_info("statistics: maximal count %d for (%s) at %.15s",
+ max_rate = 0;
+ }
+ if (max_count > 1) {
+ msg_info("statistics: max connection count %d for (%s) at %.15s",
max_count, max_count_user, ctime(&max_count_time) + 4);
+ max_count = 0;
+ }
+}
+
+/* anvil_status_update - log and reset extreme usage periodically */
+
+static void anvil_status_update(int unused_event, char *context)
+{
+ anvil_status_dump((char *) 0, (char **) 0);
+ event_request_timer(anvil_status_update, context, var_anvil_stat_time);
}
/* main - pass control to the multi-threaded skeleton */
{
static CONFIG_TIME_TABLE time_table[] = {
VAR_ANVIL_TIME_UNIT, DEF_ANVIL_TIME_UNIT, &var_anvil_time_unit, 1, 0,
+ VAR_ANVIL_STAT_TIME, DEF_ANVIL_STAT_TIME, &var_anvil_stat_time, 1, 0,
0,
};
#define DEF_SMTPD_HOGGERS "$" VAR_MYNETWORKS
extern char *var_smtpd_hoggers;
-#define VAR_ANVIL_TIME_UNIT "connection_rate_time_unit"
+#define VAR_ANVIL_TIME_UNIT "client_connection_rate_time_unit"
#define DEF_ANVIL_TIME_UNIT "60s"
extern int var_anvil_time_unit;
+#define VAR_ANVIL_STAT_TIME "client_connection_status_update_time"
+#define DEF_ANVIL_STAT_TIME "600s"
+extern int var_anvil_stat_time;
+
/*
* Temporary stop gap.
*/
#if 0
#include <anvil_clnt.h>
-#define VAR_ANVIL_SERVICE "connection_rate_service"
+#define VAR_ANVIL_SERVICE "client_connection_rate_service"
#define DEF_ANVIL_SERVICE "local:" ANVIL_CLASS "/" ANVIL_SERVICE
extern char *var_anvil_service;
#endif
* Patches change the patchlevel and the release date. Snapshots change the
* release date only, unless they include the same bugfix as a patch release.
*/
-#define MAIL_RELEASE_DATE "20031111"
+#define MAIL_RELEASE_DATE "20031113"
#define VAR_MAIL_VERSION "mail_version"
#define DEF_MAIL_VERSION "2.0.16-" MAIL_RELEASE_DATE
projects / thirdparty / postfix.git / commitdiff
