[Mimedefang] Update on RCPT Flood / IPTables & PopRelayd-KAM
Kevin A. McGrail
kmcgrail at pccc.com
Fri Aug 13 18:46:27 EDT 2004
OK, so I've been rewriting a daemon I use for POP3 before SMTP
(poprelayd-KAM) to include parsing the maillog for RCPT Throttle notices.
I'd originally planned to use this information to deny connections with MD
but DFS convinced me to use iptables instead. I then studied DFS' script
that monitors the maillog and modifies iptable chains. Unfortunately, I
needed to expire the entries every 10 minutes and his script wouldn't
achieve that easily for me. So I then had to learn more than I ever wanted
to know about the perl IPTables::IPv4. Lots of thanks to DFS for his
original script which gave me the idea of using iptables and how to setup a
logging chain.
Anyway, this new version of the script handles the following:
It runs as a daemon constantly processing the maillog rather than using
cron.
It sets up the iptables for you (if you have other iptable entries, you
will want to look at sub setup_iptable)
It maintains a database of the addresses.
It maintains the iptable rules and is written to ensure duplicate entries
aren't put in (hence allowing expiration).
If you kill and start poprelayd-KAM again, it will resetup the existing
blocks.
It expires entries in the database and removes the associated iptable rule
using a configurable setting.
It kills the sendmail process associated with the ip being blocked. This
was VERY important because my original version worked too well and I was
blocking enough connections fast enough that I was leaving a bunch of
sendmail+MD processes in kind of a wait status because I've abruptly blocked
their network packets.
It does require IPTables::IPv4 and pkill in addition to DB::File.
Feedback & testing appreciated.
http://www.pccc.com/downloads/sendmail/current-8.12.X/untarred/contrib/poprelay-RCPT_Throttle/
Regards,
KAM
More information about the MIMEDefang
mailing list