From: Farkas Levente (no email)
Date: Tue Feb 01 2005 - 10:29:08 EST
Wietse Venema wrote:
> Cami:
>
>>Forrest Aldrich wrote:
>>
>>>A great example of where this is highly effective is the automated
>>>spamming bots... last night, one of my servers got slammed with over
>>>170 different connections (all bots, presumably). ALL connections were
>>>useless to them, and nothing got submitted (just a big syslog for me to
>>>look at). That other server is running Sendmail-8.13.
>>>
>>>There are schools of thought against this tactic, but I digress... the
>>>evidence that it works is clearly there.
>>>
>>>In either case, this could be accomplished in a "policy server", though
>>>I'd just assume have a main.cf variable to trigger. (and I'd write it if
>>>I were a programmer!).
>>
>>This is not possible in a policy server.
>
>
> Hang on.... it only takes a tiny fix in the reject_unauth_pipelining
> feature.
>
> With the configuration and patch below, Postfix stops clients that
> speak before the server has greeted them.
>
> % telnet localhost smtp
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> helo foo
> mail from:<>
> 503 <localhost[127.0.0.1]>: Client host rejected: Improper use of SMTP command pipelining
>
>
> Wietse
>
> /etc/postfix/main.cf:
> smtpd_delay_reject = no
> smtpd_client_restrictions = check_policy_service inet:127.0.0.1:9999
>
> inet:127.0.0.1:9999 policy script or equivalent:
> sub smtpd_access_policy {
> sleep(1);
> return "reject_unauth_pipelining";
> }
it'd be a nice feature as a configuration option like:
reject_unauth_pipelining_time 1s
without calling external policy service and may be very effective
against spam.
yours.
-- Levente "Si vis pacem para bellum!"
|
|
|