AW: [Mimedefang] Configuring when MD runs

listuser at neo.pittstate.edu listuser at neo.pittstate.edu
Mon Nov 25 23:29:01 EST 2002 

On Sun, 24 Nov 2002, Martin Bene wrote:

> Hi Justin,
> 
> > I noticed this morning that the direct4optin.com had 30 or so 
> > connections open to one of my servers like they usually do.  
> 
> Make sure you're using the multiplexor; you should still see one mimedefang
> process for each sendmail connection in the data phase, but that's just the
> (fairly lightweight) milter acceptor. Only when there actually is data to
> check should the more resource-hungry perl processess be used.

So is what you're saying that when the sendmail processed spawned, a
corresponding milter was also spawned because Sendmail needed to make sure
the milter was listening?  And that the MD process is a lightweight
invocation that doesn't consume many resources?  And that Sendmail isn't
actually passing data to the milter for scoring?  Sorry for the odd
format.  I hated to make that one long run-on sentence. :)  I want to
clarify that last question again.  The mail in question is both blocked by
domain AND netblock in my Sendmail ACL.  Sendmail should have already
known to block it so it wouldn't have consulted the milter needlessly.  Is
that correct?

> To avoid this mess I recently put iptables with iplimit module from iptables
> patch-o-matic on the (linux 2.4.18) box. this allows me to define a limit:
> max 10 concurrent smtp connections from any single client. Result: just the
> conections from idiot servers get blocked, sendmail stays reachable for
> regular users. Also, server load is kept in a much more sensible range.

Interesting.  So the sending host gets a dest port unreachable and tries
again or are you silently dropping the packets so the sending host times
out and tries again later?  I'm running 2.4.19 with just about every
networking option enabled. I should look into this.

> If anyone else wants to try this: there's a bug in curent iplimit netfilter
> code; I've sent a patch to the maintainers but it isn't in CVS yet, so either
> mail me or wait for a fix to turn up in  the official release (limit doesn't
> work if consecutive tries are sent with the same source port).

If you'd like to send it my way, I just might give it a whirl.  BTW, do
you have a URL for a corresponding website or is iplimt in the
main netfilter distribution?

Thanks
Justin

More information about the MIMEDefang mailing list