[Mimedefang] Testing for port #/TLS in filter_relay
Philip Prindeville
philipp_subx at redfish-solutions.com
Mon Mar 3 21:04:40 EST 2008
David F. Skoll wrote:
> Philip Prindeville wrote:
>
>> By the time that MAIL FROM: is seen, fork()'s have happened, etc.
>
> ???
>
> The fork() happens right after the connection is accepted, even before
> filter_relay.
Okay, I'll try to explain this in a different way.
I have a fairly low default Client connection rate specified on my mail
server, because it also does other work (NFS, web service, CUPS
spooling, FTP server, etc).
If I have to wait until I see the MAIL FROM, then that's a connection
that is held open potentially for as long as my read-timeout is
(currently 15 minutes), and someone could DoS attack me by sending me a
bunch of connections but never advancing the state on them.
If, on the other hand, I drop the connection as soon as it arrives, then
the window by which they could deny other clients from delivering mail
is severely restricted to the RTT's of the attacker's connection times 3
or four. Clearly, that's better than 15 minutes.
-Philip
More information about the MIMEDefang
mailing list