[Mimedefang] Re: DoS Question

[Sven Willenberger]

Kevin A. McGrail wrote:
> Anyone else seeing massive sendmail connections seemingly for the sole 
> purpose of a denial of service?  This is less than one minute after a 
> sendmail restart and we've been seeing this issue since app 6AM today.
> 
> Regards,
> KAM
> 

Sendmail 8.13.x has new features (and there are patches for 8.12.x) that 
can throttle such connections. They are:

A) GreetPause - wherein the server delays the initial response x 
seconds. Any server that starts sending traffic before this response 
receieves an error message (designed to stop those trojaned/virus 
mailservers that blast out spam)\

B) RateControl - controls how many connections per minute for each 
unique ip address

C) ConnControl - controls how many simultaneous connections per given ip 
address

These are all controlled via access files and can be configured with 
defaults and with ip specific exceptions;

The relevant .mc file entries:
FEATURE(`greet_pause', `5000')  dnl 5 seconds
FEATURE(`ratecontrol', `nodelay', `terminate')
FEATURE(`conncontrol', `nodelay', `terminate')

example access lines:
GreetPause:127.0.0.1    0
ClientConn:127.0.0.1            0
ClientConn:             10
ClientRate:127.0.0.1            0
ClientRate:             15

This may help some in that sendmail won't have to start processing data 
over an smtp connection if the sending ip exceeds any of the limits you 
impose using the above.

hth

Sven