[Mimedefang] Testing for port #/TLS in filter_relay
David F. Skoll
dfs at roaringpenguin.com
Mon Mar 3 21:36:25 EST 2008
Philip Prindeville wrote:
> I have a fairly low default Client connection rate specified on my mail
> server, because it also does other work (NFS, web service, CUPS
> spooling, FTP server, etc).
> If I have to wait until I see the MAIL FROM, then that's a connection
> that is held open potentially for as long as my read-timeout is
> (currently 15 minutes), and someone could DoS attack me by sending me a
> bunch of connections but never advancing the state on them.
Question: Is this a problem in practice?
Question 2: If you dropped your read timeout to 60 seconds, would you
ever lose legitimate mail?
> If, on the other hand, I drop the connection as soon as it arrives, then
> the window by which they could deny other clients from delivering mail
> is severely restricted to the RTT's of the attacker's connection times 3
> or four. Clearly, that's better than 15 minutes.
The attacker merely has to DoS you from an IP address that's not on your
blacklist (or, going back to your original policy of rejecting machines
without reverse DNS, from a machine that does have a PTR record.)
More information about the MIMEDefang