MSA enhancement for access rules

Philip Prindeville philipp_subx at redfish-solutions.com
Tue Dec 20 02:09:54 UTC 2011 

I do a lot of email submission from my laptop on the road to our corporate email server.

Problem was that rate-control was based on IP addresses, which didn't give me the control that I wanted.

For instance, having the same ClientRate and ClientConn for myself using the submission port (587) as someone else using the smtp port (25) just because we both happened to be on an AT&T wifi hotspot made no sense.

So after an hour or so of investigation, I came up with the following ruleset changes.  It rocks.

The default config for sendmail.mc contains either:

DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')dnl

or:

DAEMON_OPTIONS(`Port=smtp, Name=MTA')

if you're running an internet accessible relay, but if you also uncomment (via the 'dnl') from:

dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

you've also enabled the submission port.

This patch lets you search the access database for "ClientRate", "ClientConn", and "GreetPause" entries not just based on the IP address, but also on the name of the service ("MSA" versus "MTA" or "MTA-v4").

Hence if I add:

ClientConn:MSA			10
ClientRate:MSA			 0
GreetPause:MSA			 0

I've specified that for connections on the submission port (which are authenticated), I can have up to 10 simultaneous connections with no incoming connection rate limit and no initial greet-pause.

Which is a good thing, because my defaults are meant to be constraining:


ClientConn:                      1
ClientRate:                      2

and my sendmail.mc contains:

FEATURE(`greet_pause', `5000')dnl

which are very effective at throttling the Internet in general when someone tries to exploit our server as an open relay or even attempts a DoS attack on it.

(Note the last line could also have been done as: "GreetPause:    5" in my access file).

Now I can connect from wherever I like, and have the same defaults I get on the corporate network:

ClientConn:192.168.1		10
ClientRate:192.168.1		 0
GreetPause:192.168.1		 0

be applied on the road as well.

I hope you all find this patch useful. I've submitted it as a suggestion to the sendmail maintainers, but they tend to be conservative in accepting 'enhancements', so it might not be integrated.

-Philip
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: access-daemon_name.patch
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20111219/0953d29b/attachment.ksh>

More information about the users mailing list