From: Wietse Venema Date: Thu, 13 Nov 2003 05:00:00 +0000 (-0500) Subject: postfix-2.0.16-20031113 X-Git-Tag: v2.1-RC1-20040331~31 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0a1f54070e2d2db746d323ef164a736f483825e;p=thirdparty%2Fpostfix.git postfix-2.0.16-20031113 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 21e88a010..ae0da92eb 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -8735,13 +8735,13 @@ Apologies for any names omitted. to disable the restriction for authorized clients. Most work is implemented by a new "anvil" server. Parameters: smtpd_client_connection_count_limit, smtpd_client_connection- - _rate_limit, smtpd_client_connection_limit_exceptions, - connection_rate_time_unit, and connection_rate_purge_delay. - Documentation: smtpd(8), anvil(8), sample-smtpd.cf. Files: - smtpd/smtpd.c, global/anvil_clnt.[hc], anvil/anvil.c. The - anvil server logs peak count and rate information per client - when it terminates after running out of work or after - "postfix reload". + _rate_limit, smtpd_client_connection_limit_exceptions, and + client_connection_rate_time_unit. Documentation: smtpd(8), + anvil(8), sample-smtpd.cf. Files: smtpd/smtpd.c, + global/anvil_clnt.[hc], anvil/anvil.c. The anvil server + logs peak count and rate information per client when it + terminates after running out of work or after "postfix + reload". 20031110 @@ -8749,6 +8749,12 @@ Apologies for any names omitted. address). This is useful as a catch-all pattern at the end of a table. Files: util/dict_cidr.c, util/match_ops.c. +20031112 + + Feature: client_connection_status_update_time parameter + controls periodic logging of maximal connection counts or + rates. The default logging interval is 10 minutes. + Open problems: High: when virtual aliasing is turned off after content diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 0c706477a..93446e973 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -37,7 +37,8 @@ and no limit is imposed on the number of successive connections per time unit that a client is allowed to make. The new anvil server maintains the connection statistics, and logs -the maximum connection count and connection rate per client whenever +the maximum connection count and connection rate per client every +client_connection_status_update_time seconds (10 minutes), or when it terminates (when there is no work to be done, or when "postfix reload" was issued). Once you have an idea what the numbers look like, you can clamp down the limits for your system. @@ -46,8 +47,8 @@ The relevant main.cf configuration parameters are: smtpd_client_- connection_count_limit for the number of simultaneous connections per client, and smtpd_client_connection_rate_limit for the number of successive connections per unit time and client. The time unit -is specified with the connection_rate_time_unit parameter, and is -one minute by default. +is specified with the client_connection_rate_time_unit parameter, +and is one minute by default. When Postfix rejects a client, it sends a 450 status code and disconnects, and logs a warning with the client name/address and diff --git a/postfix/conf/pcre_table b/postfix/conf/pcre_table index 56f424411..ff03d585b 100644 --- a/postfix/conf/pcre_table +++ b/postfix/conf/pcre_table @@ -152,7 +152,7 @@ # # # Bounce friend@whatever, except when whatever is our domain (you would # # be better just bouncing all friend@ mail - this is just an example). -# /^friend@(?!my\.domain)/ 550 Stick this in your pipe $0 +# /^(friend@(?!my\.domain$).*)$/ 550 Stick this in your pipe $1 # # # A multi-line entry. The text is sent as one line. # # diff --git a/postfix/conf/sample-smtpd.cf b/postfix/conf/sample-smtpd.cf index 1df910b35..8f93a3631 100644 --- a/postfix/conf/sample-smtpd.cf +++ b/postfix/conf/sample-smtpd.cf @@ -123,7 +123,7 @@ smtpd_client_connection_count_limit = 50 # connection attempts any client is allowed to make to this service # per time unit. # -# The time unit is specified with the connection_rate_time_unit +# The time unit is specified with the client_connection_rate_time_unit # configuration parameter, and defaults to one minute. # # By default, every client can make as many connections as Postfix diff --git a/postfix/html/anvil.8.html b/postfix/html/anvil.8.html index b0c9fd4f4..ae3bd58e8 100644 --- a/postfix/html/anvil.8.html +++ b/postfix/html/anvil.8.html @@ -66,29 +66,34 @@ ANVIL(8) ANVIL(8) DIAGNOSTICS Problems and transactions are logged to syslogd(8). - Upon process exit, the server logs the maximal count and - rate values measured, together with (service, client) and - time associated with those events. + Upon exit, and every client_connection_status_update_time + seconds, the server logs the maximal count and rate values + measured, together with (service, client) information and + the time of day associated with those events. BUGS - Systems behind network address translating routers or + Systems behind network address translating routers or proxies appear to have the same client address and can run into connection count and/or rate limits falsely. In this preliminary implementation, a count (or rate) lim- - ited server can have only one remote client at a time. If - a server reports multiple simultaneous clients, all but + ited server can have only one remote client at a time. If + a server reports multiple simultaneous clients, all but the last reported client are ignored. CONFIGURATION PARAMETERS - The following main.cf parameters are especially relevant - to this program. Use the postfix reload command after a + The following main.cf parameters are especially relevant + to this program. Use the postfix reload command after a configuration change. - connection_rate_time_unit - The unit of time over which connection rates are + client_connection_rate_time_unit + The unit of time over which connection rates are calculated. + client_connection_status_update_time + Time interval for logging the maximal connection + count and connection rate information. + SEE ALSO smtpd(8) Postfix SMTP server diff --git a/postfix/html/pcre_table.5.html b/postfix/html/pcre_table.5.html index 6e82d1179..32155442a 100644 --- a/postfix/html/pcre_table.5.html +++ b/postfix/html/pcre_table.5.html @@ -1,4 +1,4 @@ - 
+  
 PCRE_TABLE(5)                                       PCRE_TABLE(5)
 
 NAME
@@ -153,7 +153,7 @@ PCRE_TABLE(5)                                       PCRE_TABLE(5)
 
        # Bounce friend@whatever, except when whatever is our domain (you would
        # be better just bouncing all friend@ mail - this is just an example).
-       /^friend@(?!my\.domain)/        550 Stick this in your pipe $0
+       /^(friend@(?!my\.domain$).*)$/  550 Stick this in your pipe $1
 
        # A multi-line entry. The text is sent as one line.
        #
diff --git a/postfix/man/man5/pcre_table.5 b/postfix/man/man5/pcre_table.5
index ce1233c03..2b05c2fe4 100644
--- a/postfix/man/man5/pcre_table.5
+++ b/postfix/man/man5/pcre_table.5
@@ -142,7 +142,7 @@ available for negated patterns.
 
 # Bounce friend@whatever, except when whatever is our domain (you would
 # be better just bouncing all friend@ mail - this is just an example).
-/^friend@(?!my\\.domain)/        550 Stick this in your pipe $0
+/^(friend@(?!my\\.domain$).*)$/  550 Stick this in your pipe $1
 
 # A multi-line entry. The text is sent as one line.
 #
diff --git a/postfix/man/man8/anvil.8 b/postfix/man/man8/anvil.8
index 5c9a5e9f6..c9ef53cd1 100644
--- a/postfix/man/man8/anvil.8
+++ b/postfix/man/man8/anvil.8
@@ -86,8 +86,9 @@ is kept.
 .fi
 Problems and transactions are logged to \fBsyslogd\fR(8).
 
-Upon process exit, the server logs the maximal count and rate
-values measured, together with (service, client) and time
+Upon exit, and every \fBclient_connection_status_update_time\fR
+seconds, the server logs the maximal count and rate values measured,
+together with (service, client) information and the time of day
 associated with those events.
 .SH BUGS
 .ad
@@ -108,8 +109,11 @@ are ignored.
 The following \fBmain.cf\fR parameters are especially relevant to
 this program. Use the \fBpostfix reload\fR command after
 a configuration change.
-.IP \fBconnection_rate_time_unit\fR
+.IP \fBclient_connection_rate_time_unit\fR
 The unit of time over which connection rates are calculated.
+.IP \fBclient_connection_status_update_time\fR
+Time interval for logging the maximal connection count
+and connection rate information.
 .SH SEE ALSO
 .na
 .nf
diff --git a/postfix/proto/pcre_table b/postfix/proto/pcre_table
index 5c5fa8f6e..0ace904da 100644
--- a/postfix/proto/pcre_table
+++ b/postfix/proto/pcre_table
@@ -128,7 +128,7 @@
 #
 #	# Bounce friend@whatever, except when whatever is our domain (you would
 #	# be better just bouncing all friend@ mail - this is just an example).
-#	/^friend@(?!my\\.domain)/	 550 Stick this in your pipe $0
+#	/^(friend@(?!my\\.domain$).*)$/	 550 Stick this in your pipe $1
 #
 #	# A multi-line entry. The text is sent as one line.
 #	#
diff --git a/postfix/src/anvil/anvil.c b/postfix/src/anvil/anvil.c
index 31e6c4a73..0502d3886 100644
--- a/postfix/src/anvil/anvil.c
+++ b/postfix/src/anvil/anvil.c
@@ -74,8 +74,9 @@
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8).
 /*
-/*	Upon process exit, the server logs the maximal count and rate
-/*	values measured, together with (service, client) and time
+/*	Upon exit, and every \fBclient_connection_status_update_time\fR
+/*	seconds, the server logs the maximal count and rate values measured,
+/*	together with (service, client) information and the time of day
 /*	associated with those events.
 /* BUGS
 /*	Systems behind network address translating routers or proxies
@@ -92,8 +93,11 @@
 /*	The following \fBmain.cf\fR parameters are especially relevant to
 /*	this program. Use the \fBpostfix reload\fR command after
 /*	a configuration change.
-/* .IP \fBconnection_rate_time_unit\fR
+/* .IP \fBclient_connection_rate_time_unit\fR
 /*	The unit of time over which connection rates are calculated.
+/* .IP \fBclient_connection_status_update_time\fR
+/*	Time interval for logging the maximal connection count
+/*	and connection rate information.
 /* SEE ALSO
 /*	smtpd(8) Postfix SMTP server
 /* LICENSE
@@ -136,6 +140,7 @@
 /* Application-specific. */
 
 int     var_anvil_time_unit;
+int     var_anvil_stat_time;
 
  /*
   * State.
@@ -144,8 +149,8 @@ static HTABLE *anvil_remote_map;	/* indexed by service+ remote client */
 static BINHASH *anvil_local_map;	/* indexed by local client handle */
 
  /*
-  * Absent a real-time query interface, these are logged at process exit
-  * time.
+  * Absent a real-time query interface, these are logged at process exit time
+  * and at regular intervals.
   */
 static int max_count;
 static char *max_count_user;
@@ -537,6 +542,12 @@ static void anvil_service(VSTREAM *client_stream, char *unused_service, char **a
 
 static void post_jail_init(char *unused_name, char **unused_argv)
 {
+    static void anvil_status_update(int, char *);
+
+    /*
+     * Dump and reset extreme usage every so often.
+     */
+    event_request_timer(anvil_status_update, (char *) 0, var_anvil_stat_time);
 
     /*
      * Initial client state tables.
@@ -550,17 +561,29 @@ static void post_jail_init(char *unused_name, char **unused_argv)
     var_use_limit = 0;
 }
 
-/* anvil_status_dump - log the extremes before terminating */
+/* anvil_status_dump - log and reset extreme usage */
 
 static void anvil_status_dump(char *unused_name, char **unused_argv)
 {
-    if (max_rate > 0)
-	msg_info("statistics: maximal rate %d/%ds for (%s) at %.15s",
+    if (max_rate > 1) {
+	msg_info("statistics: max connection rate %d/%ds for (%s) at %.15s",
 		 max_rate, var_anvil_time_unit,
 		 max_rate_user, ctime(&max_rate_time) + 4);
-    if (max_count > 0)
-	msg_info("statistics: maximal count %d for (%s) at %.15s",
+	max_rate = 0;
+    }
+    if (max_count > 1) {
+	msg_info("statistics: max connection count %d for (%s) at %.15s",
 		 max_count, max_count_user, ctime(&max_count_time) + 4);
+	max_count = 0;
+    }
+}
+
+/* anvil_status_update - log and reset extreme usage periodically */
+
+static void anvil_status_update(int unused_event, char *context)
+{
+    anvil_status_dump((char *) 0, (char **) 0);
+    event_request_timer(anvil_status_update, context, var_anvil_stat_time);
 }
 
 /* main - pass control to the multi-threaded skeleton */
@@ -569,6 +592,7 @@ int     main(int argc, char **argv)
 {
     static CONFIG_TIME_TABLE time_table[] = {
 	VAR_ANVIL_TIME_UNIT, DEF_ANVIL_TIME_UNIT, &var_anvil_time_unit, 1, 0,
+	VAR_ANVIL_STAT_TIME, DEF_ANVIL_STAT_TIME, &var_anvil_stat_time, 1, 0,
 	0,
     };
 
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 709eb1cfc..b41f969c7 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1917,17 +1917,21 @@ extern int var_smtpd_cconn_limit;
 #define DEF_SMTPD_HOGGERS		"$" VAR_MYNETWORKS
 extern char *var_smtpd_hoggers;
 
-#define VAR_ANVIL_TIME_UNIT		"connection_rate_time_unit"
+#define VAR_ANVIL_TIME_UNIT		"client_connection_rate_time_unit"
 #define DEF_ANVIL_TIME_UNIT		"60s"
 extern int var_anvil_time_unit;
 
+#define VAR_ANVIL_STAT_TIME		"client_connection_status_update_time"
+#define DEF_ANVIL_STAT_TIME		"600s"
+extern int var_anvil_stat_time;
+
  /*
   * Temporary stop gap.
   */
 #if 0
 #include 
 
-#define VAR_ANVIL_SERVICE		"connection_rate_service"
+#define VAR_ANVIL_SERVICE		"client_connection_rate_service"
 #define DEF_ANVIL_SERVICE		"local:" ANVIL_CLASS "/" ANVIL_SERVICE
 extern char *var_anvil_service;
 #endif
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 6bb48c376..6b0b71f10 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change the patchlevel and the release date. Snapshots change the
   * release date only, unless they include the same bugfix as a patch release.
   */
-#define MAIL_RELEASE_DATE	"20031111"
+#define MAIL_RELEASE_DATE	"20031113"
 
 #define VAR_MAIL_VERSION	"mail_version"
 #define DEF_MAIL_VERSION	"2.0.16-" MAIL_RELEASE_DATE