AW: [Mimedefang] Configuring when MD runs
Martin Bene
martin.bene at icomedias.com
Tue Nov 26 03:45:00 EST 2002
Hi Justin,
> So is what you're saying that when the sendmail processed spawned, a
> corresponding milter was also spawned because Sendmail needed
> to make sure the milter was listening?
Correct.
> And that the MD process is a lightweight invocation that doesn't
> consume many resources?
Equaly correct. The MD process is just the .c "glue" that interfaces with
sendmail milter on one side and the multiplexor on the other side.
> And that Sendmail isn't
> actually passing data to the milter for scoring?
If sendmail blocks the mail because of netblock / access DB, it'll return an
error code after the "mail to:" command, before actually receiving any data
from the remote, so there isn't and data to pass to mimedefang anyway :-)
> domain AND netblock in my Sendmail ACL. Sendmail should have already
> known to block it so it wouldn't have consulted the milter
> needlessly. Is that correct?
if you've enabled sender or relay checking in mimedefang, it might call these
routies in the filter; I don't know if it skips these if the sendmail ACLs
already block a message.
> > To avoid this mess I recently put iptables with iplimit
> > module from iptables patch-o-matic on the (linux 2.4.18)
> > box. this allows me to define a limit: max 10 concurrent
> > smtp connections from any single client.
> > Result: just the conections from idiot servers get
> > blocked, sendmail stays reachable for
> > regular users. Also, server load is kept in a much more
> > sensible range.
> Interesting. So the sending host gets a dest port
> unreachable and tries again or are you silently dropping
> the packets so the sending host times
> out and tries again later?
you can do either, depending on your personal preferences. Currently I'm
rejecting the connections, looks like the remote servers wait a bit by
themselves before retrying.
> If you'd like to send it my way, I just might give it a
> whirl. BTW, do you have a URL for a corresponding website
> or is iplimt in the
> main netfilter distribution?
It's not in the kernel.org kernels yep, but it is in the current netfilter
code from netfilter.org. You'll need to download the patch-o-matic file from
ftp://ftp.netfilter.org/pub/patch-o-matic/ and run ./runme base.
I've attached the patch to fix the "2nd try with same source port gets
through" problem.
Bye, Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iplimit.patch
Type: application/octet-stream
Size: 883 bytes
Desc: iplimit.patch
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20021126/a4cda2c1/attachment.obj>
More information about the MIMEDefang
mailing list