[Mimedefang] Update on RCPT Flood / IPTables & PopRelayd-KAM

Kevin A. McGrail kmcgrail at pccc.com
Fri Aug 13 18:46:27 EDT 2004


OK, so I've been rewriting a daemon I use for POP3 before SMTP
(poprelayd-KAM) to include parsing the maillog for RCPT Throttle notices.
I'd originally planned to use this information to deny connections with MD
but DFS convinced me to use iptables instead. I then studied DFS' script
that monitors the maillog and modifies iptable chains.  Unfortunately, I
needed to expire the entries every 10 minutes and his script wouldn't
achieve that easily for me.  So I then had to learn more than I ever wanted
to know about the perl IPTables::IPv4.  Lots of thanks to DFS for his
original script which gave me the idea of using iptables and how to setup a
logging chain.

Anyway, this new version of the script handles the following:

  It runs as a daemon constantly processing the maillog rather than using
cron.

  It sets up the iptables for you (if you have other iptable entries, you
will want to look at sub setup_iptable)

  It maintains a database of the addresses.

  It maintains the iptable rules and is written to ensure duplicate entries
aren't put in (hence allowing expiration).

  If you kill and start poprelayd-KAM again, it will resetup the existing
blocks.

  It expires entries in the database and removes the associated iptable rule
using a configurable setting.

  It kills the sendmail process associated with the ip being blocked.  This
was VERY important because my original version worked too well and I was
blocking enough connections fast enough that I was leaving a bunch of
sendmail+MD processes in kind of a wait status because I've abruptly blocked
their network packets.

  It does require IPTables::IPv4 and pkill in addition to DB::File.


Feedback & testing appreciated.
http://www.pccc.com/downloads/sendmail/current-8.12.X/untarred/contrib/poprelay-RCPT_Throttle/

Regards,
KAM



More information about the MIMEDefang mailing list