AW: [Mimedefang] Configuring when MD runs

Martin Bene martin.bene at icomedias.com
Tue Nov 26 03:45:00 EST 2002


Hi Justin,

> So is what you're saying that when the sendmail processed spawned, a
> corresponding milter was also spawned because Sendmail needed 
> to make sure the milter was listening? 

Correct. 

> And that the MD process is a lightweight invocation that doesn't 
> consume many resources?  

Equaly correct. The MD process is just the .c "glue" that interfaces with
sendmail milter on one side and the multiplexor on the other side. 

> And that Sendmail isn't
> actually passing data to the milter for scoring?  

If sendmail blocks the mail because of netblock / access DB, it'll return an
error code after the "mail to:" command, before actually receiving any data
from the remote, so there isn't and data to pass to mimedefang anyway :-)

> domain AND netblock in my Sendmail ACL.  Sendmail should have already
> known to block it so it wouldn't have consulted the milter 
> needlessly.  Is that correct?

if you've enabled sender or relay checking in mimedefang, it might call these
routies in the filter; I don't know if it skips these if the sendmail ACLs
already block a message.

> > To avoid this mess I recently put iptables with iplimit 
> > module from iptables patch-o-matic on the (linux 2.4.18) 
> > box. this allows me to define a limit: max 10 concurrent 
> > smtp connections from any single client. 
> > Result: just the conections from idiot servers get 
> > blocked, sendmail stays reachable for
> > regular users. Also, server load is kept in a much more 
> > sensible range.

> Interesting.  So the sending host gets a dest port 
> unreachable and tries again or are you silently dropping 
> the packets so the sending host times
> out and tries again later?  

you can do either, depending on your personal preferences. Currently I'm
rejecting the connections, looks like the remote servers wait a bit by
themselves before retrying.

> If you'd like to send it my way, I just might give it a 
> whirl.  BTW, do you have a URL for a corresponding website 
> or is iplimt in the
> main netfilter distribution?

It's not in the kernel.org kernels yep, but it is in the current netfilter
code from netfilter.org. You'll need to download the patch-o-matic file from
ftp://ftp.netfilter.org/pub/patch-o-matic/ and run ./runme base.

I've attached the patch to fix the "2nd try with same source port gets
through" problem.

Bye, Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iplimit.patch
Type: application/octet-stream
Size: 883 bytes
Desc: iplimit.patch
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20021126/a4cda2c1/attachment.obj>


More information about the MIMEDefang mailing list