|Main Archive Page > Month Archives > postfix-users archives|
On 4/3/2012 10:27 AM, Wietse Venema wrote:
> Stan Hoeppner:
>> Setting smtpd_client_connection_count_limit also sets
>> postscreen_client_connection_count_limit if you're using postfix 2.8 and
>> postscreen. Thus the limit is enforced before connections are handed to
>> smtpd processes, so you don't needlessly eat up additional smtpds.
> Note that postscreen either blocks a client or hands it off to a
> Postfix SMTP server process. The connection count limit in postscreen
> applies only to the SMTP clients that are (not yet) handed off to
> an SMTP server process. Once the hand-off is done, postscreen does
> not know when an SMTP session ends, so the session no longer counts
> towards the postscreen connection count limit. The code was tricky
> enough that I did not want to introduce a postscreen-to-anvil
Ahh, thanks for the clarification Wietse. The
smtpd_client_connection_count_limit is still enforced against post hand
off client connections though, correct?
> The postscreen connection count limit is still effective for "hit
> and run" spambots that make a burst of connections at approximately
> the same time. Such clients will exceed the connection limit while
> waiting for the pregreet timer to expire, or for DNS[BW]L lookups
> to complete.
So the postscreen connection limit is good for slowing bots, no surprise
since bots are the postscreen target, but the smtpd connection limit is
still appropriate/needed for slowing legit bulk mailer clients, assuming
one chooses to use it vs the other anvil based restrictions.