Archive for September, 2007
Stop spamattacks with postfix in a high volume environment
Lately I’ve been doing some tweaking of the incoming mailservers at a customer site. They have about 500.000 active mailboxes and have been flooded with spambots over the last weeks. It probably has something to do with the storm worm. Such an attack puts a heavy strain on the infrastructure and some measures were needed to make sure the whole thing didn’t fall apart.
On my own mailserver I simply use postgrey to greylist unknown sources. But in such an environment any delays on mail delivery are unacceptable. Besides, I doubt postgrey scales well to such a high volume environment.
These are the measures I took to slow down spambots and making sure the mailservers can still accept mail from legitimate senders even when under a spamattack.
Use rate limiting on your inbound connections.
Allow only 10 connections/minute from the same sender with a maximum of 10 open connections.
It will slow down spammers that are not blacklisted in any of the RBL’s you configured and are using a dictionary attack in an attempt to guess valid email addresses in order to spam them.
You will have to enable the anvil service in your master.cf and add the following settings to your main.cf :
anvil_rate_time_unit = 60s
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
There might be some parties that you receive a lot of mail from and don’t want to be throttled. For example this particular customer uses the nlwhitelist to make sure dutch ISP’s are never throttled.
smtpd_client_event_limit_exceptions = hash:/etc/postfix/whitelist, $mynetworks
Increase available resources
Disconnect inactive smtp sessions after 30 seconds (instead of the default of 300 seconds). Some spambots open up a lot of connections and sit there taking up all your resources. Legitimate connections will then be refused if the maximum of connections is reached.
(You can also consider increasing the maximum number of connections postfix will accept.)
smtpd_timeout = 30s
This should result in better availability of your SMTP service and stop at least some spambots even before they reach your RBL checks or your spamfilter.
You’ll soon notice these kind of lines in your postfix logfiles:
Sep 5 13:14:45 **** postfix/smtpd[27510]: [ID 947731 mail.warning] warning: Connection rate limit exceeded: 217 from *.sdsl.bell.ca[69.159.*.*] for service smtp
217 blocked connections in one minute from just one IP. Not bad 