[Mimedefang] MIMEDefang 2.15-BETA-3 is available
David F. Skoll
dfs at roaringpenguin.com
Thu Jun 13 11:29:22 EDT 2002
2.15-B3 is at
Remember the discussion about a DoS caused by complicated MIME messages?
This release includes two new flags for mimedefang-multiplexor (-R and -M)
which let you limit the resident-set size and total memory size of
slaves (RSS limits are not supported on some systems like Solaris.)
For example, my mimedefang.pl processes typically sit at around 15MB
virtual memory size. So I use a "-M 30000" to limit to size to 30,000kB
(30MB). If the slave exceeds that size, it is killed and the message
is tempfailed (so watch your logs!)
Also, there's a new filter_recipient function (similar to filter_sender
and filter_relay) and a corresponding mimedefang "-t" flag. filter_sender
is now passed three arguments (envelope sender, relay IP and relay name),
so you may need to adjust your filter.
Complete changelog relative to 2.15-B2 follows.
2002-06-13 David F. Skoll <dfs at roaringpenguin.com>
* mimedefang-multiplexor: Added "-R" and "-M" options to
limit memory usage of slaves. Strongly recommended to
help mitigate DoS attacks.
* mimedefang-multiplexor.c (limit_mem_usage): Added ability
to limit memory usage of slaves to mitigate DoS attacks which
use complicated MIME messages to consume lots of memory. All
such messages will be tempfailed forever, so keep an eye on
your logs. You'll see lines like this:
Slave 0 stderr: Out of memory!
Slave died prematurely -- check your filter rules
2002-06-11 David F. Skoll <dfs at roaringpenguin.com>
* Added filter_recipient function; added ip and hostname arguments
to filter_sender. Improved mechanism for communicating with
filter_sender, filter_relay and filter_recipient functions.
* INCOMPATIBILITY: filter_sender is now passed 3 arguments
(sender, relay_ip, relay_hostname) instead of 1 (sender). You
may have to adjust your filter rules.
More information about the MIMEDefang