Connection rate limiting is ignoring check_recipient_access?

• Previous message: Ralf Hildebrandt: "Re: Long time sending"
• Next in thread: Ralf Hildebrandt: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Ralf Hildebrandt: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Ralf Hildebrandt: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Geoff: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Geoff: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Ralf Hildebrandt: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry if this has been covered before - I couldn't find anything similar in the archives.

I'm running 2.2.10 and have my rate limiting params as shown below (from postconf -n).

The intention is to limit connections from spammers to not more than 1 per 5 minutes. Rate limiting works just fine with the exception of when the first connections are REJECTed by check_recipient_access. If you look at the extract from the maillog shown below you can see that the first 6 connections from this spammer were rejected by check_recipient_access but were ignored for connection rate counting purposes - it was only when one got as far as reject_unverified_sender that it registered as a 'hit' on the connection count. All further connections within the 5 minute period were then rejected as expected.

Is this correct behaviour? This has effectively allowed this spammer 7 connections in 15s and effectively bypassed the rate limit. I thought one of the tenets of the rate limiting approach was to slow spammers down to a crawl so they get bored and go somewhere else! By ignoring the initial connections Postfix is still allowing the spammer access for "address-validation" purposes.

Your thoughts please? Thanks.
Geoff.

--
anvil_rate_time_unit = 300s
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 1
smtpd_client_event_limit_exceptions = $mynetworks .[a trusted domain].co.uk

smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/reject_clients
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions = reject
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/reject_recipients, check_sender_access hash:/etc/postfix/allow_senders, reject_unverified_sender
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/reject_senders,
body_checks = regexp:/etc/postfix/reject_bodies
header_checks = regexp:/etc/postfix/reject_headers

Jun 28 22:03:23 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
Jun 28 22:03:24 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <>: Recipient address rejected: Domain not known; from=<> to=<> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:28 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <>: Recipient address rejected: Domain not known; from=<> to=<> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:28 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <>: Recipient address rejected: Domain not known; from=<> to=<> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:29 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <>: Recipient address rejected: Domain not known; from=<> to=<> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:30 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <>: Recipient address rejected: Domain not known; from=<> to=<> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:31 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 550 <>: Recipient address rejected: Domain not known; from=<> to=<> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:36 shoebox postfix/smtpd[18206]: NOQUEUE: reject: RCPT from unknown[202.101.73.90]: 554 <>: Sender address rejected: undeliverable address: host mx4.earthlink.net[209.86.93.229] said: 550 unknown (in reply to RCPT TO command); from=<> to=<> proto=ESMTP helo=<Y0001.qoi3ilii.org>
Jun 28 22:03:38 shoebox postfix/smtpd[18206]: lost connection after DATA from unknown[202.101.73.90]
Jun 28 22:03:38 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
Jun 28 22:03:41 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
Jun 28 22:03:41 shoebox postfix/smtpd[18206]: warning: Connection rate limit exceeded: 2 from unknown[202.101.73.90] for service smtp
Jun 28 22:03:41 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
Jun 28 22:03:42 shoebox postfix/smtpd[18206]: connect from unknown[202.101.73.90]
Jun 28 22:03:42 shoebox postfix/smtpd[18206]: warning: Connection rate limit exceeded: 3 from unknown[202.101.73.90] for service smtp
Jun 28 22:03:42 shoebox postfix/smtpd[18206]: disconnect from unknown[202.101.73.90]
etc.

• Previous message: Ralf Hildebrandt: "Re: Long time sending"
• Next in thread: Ralf Hildebrandt: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Ralf Hildebrandt: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Ralf Hildebrandt: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Geoff: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Geoff: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Maybe reply: Ralf Hildebrandt: "Re: Connection rate limiting is ignoring check_recipient_access?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]