AW: [Mimedefang] Tuning for taking mail from qmail - practically denial of service

Martin Bene martin.bene at icomedias.com
Mon Apr 19 10:56:07 EDT 2004


> As some of your probably know, qmail sends a lot of mail at a 
> time and does not do connection caching, so it'll just hit 
> the box with 15 or so mails at
> a time if the mail is destined for that specific host.

> Does anyone have some good tuning tips?

Yes: I've run into similar problems with hosts that try to open
literally hundereds of concurrent connections. If you happen to be
running linux there's an iptables module that can be VERY helpful here:

CONFIG_IP_NF_MATCH_CONNLIMIT:
This match allows you to restrict the number of parallel TCP
connections to a server per client IP address (or address block).

This allows you to limit each server to, say, 5 concurrent connections,
so you only affect the servers trying many concurrent connections while
still allowing connections from other hosts.

Here's the command line used on my server for max 10 connections per
server:

iptables -N log_reject
iptables -A log_reject -m limit --limit 5/m -j LOG
iptables -A log_reject -j REJECT

iptables -A INPUT -p tcp --syn --dport smtp -m connlimit
--connlimit-above 10 -j log_reject

Bye, Martin




More information about the MIMEDefang mailing list