DevHeads.net

concurrency rate limit

I'm wondering if I have my rate limiting set up correctly. Note I have
that perl script that sniffs out dynamic IP addresses, so I am not sure
how this user is even getting concurrent connections.

From the main.cf:
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
reject_unknown_reverse_client_hostname,
check_client_access hash:/etc/postfix/spamsources
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_address,
check_sender_access hash:/etc/postfix/spamsources
smtpd_relay_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_policy_service unix:private/policy
#lines added after hacker attack
smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 6
smtpd_client_connection_rate_limit = 3
smtpd_client_auth_rate_limit = 20
smtpd_client_connection_count_limit = 3
smtpd_client_new_tls_session_rate_limit = 3
smtpd_client_recipient_rate_limit = 40
smtpd_recipient_limit = 20

From the maillog:
Jan 10 08:39:32 mydomain postfix/smtpd[29789]: connect from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29789]: warning: Connection concurrency limit exceeded: 4 from unknown[121.238.5.110] for service smtp
Jan 10 08:39:32 mydomain postfix/smtpd[29789]: disconnect from unknown[121.238.5.110] commands=0/0
Jan 10 08:39:32 mydomain postfix/smtpd[29783]: warning: hostname 110.5.238.121.broad.nt.js.dynamic.163data.com.cn does not resolve to address 121.238.5.110: Name or service not known
Jan 10 08:39:32 mydomain postfix/smtpd[29783]: connect from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29783]: warning: Connection concurrency limit exceeded: 4 from unknown[121.238.5.110] for service smtp
Jan 10 08:39:32 mydomain postfix/smtpd[29783]: disconnect from unknown[121.238.5.110] commands=0/0
Jan 10 08:39:32 mydomain postfix/smtpd[29786]: lost connection after AUTH from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29786]: disconnect from unknown[121.238.5.110] ehlo=1 auth=0/1 commands=1/2
Jan 10 08:39:32 mydomain postfix/smtpd[29790]: warning: hostname 110.5.238.121.broad.nt.js.dynamic.163data.com.cn does not resolve to address 121.238.5.110: Name or service not known
Jan 10 08:39:32 mydomain postfix/smtpd[29790]: connect from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29790]: warning: Connection rate limit exceeded: 10 from unknown[121.238.5.110] for service smtp
Jan 10 08:39:32 mydomain postfix/smtpd[29790]: disconnect from unknown[121.238.5.110] commands=0/0
Jan 10 08:39:32 mydomain postfix/smtpd[29785]: warning: hostname 110.5.238.121.broad.nt.js.dynamic.163data.com.cn does not resolve to address 121.238.5.110: Name or service not known
Jan 10 08:39:32 mydomain postfix/smtpd[29785]: connect from unknown[121.238.5.110]
Jan 10 08:39:32 mydomain postfix/smtpd[29785]: warning: Connection rate limit exceeded: 11 from unknown[121.238.5.110] for service smtp

Comments

Re: concurrency rate limit

By Wietse Venema at 01/11/2019 - 08:20

Postfix receives more than 4 concurrent connections at a rate of
more than 10 connections over some time interval, and closes
excess connections.

If you want to prevent that such connections reach Postfix, then
you need to do that *outside* Postfix, during the TCP handshake.
Postfix does not implement TCP. That happens in the kernel.

Wietse

Re: concurrency rate limit

By lists at 01/11/2019 - 10:02

Now with that interpretation of the log, this makes sense. I was thinking rate and concurrency were different things.

  Original Message  
Reply-to: <a href="mailto:postfix- ... at postfix dot org">postfix- ... at postfix dot org</a>

... at lazygranch dot com:
Postfix receives more than 4 concurrent connections at a rate of
more than 10 connections over some time interval, and closes
excess connections.

If you want to prevent that such connections reach Postfix, then
you need to do that *outside* Postfix, during the TCP handshake.
Postfix does not implement TCP. That happens in the kernel.

Wietse

Re: concurrency rate limit

By Viktor Dukhovni at 01/11/2019 - 11:19

They are different things. Both the rate and the concurrency were exceeded
in the logs you posted.

* Concurrency = Number of simultaneous connections. (With slight "fuzz"
as a result of message latency between smtpd(8) and anvil(8) if
connections are sufficiently short-lived, lasting not much longer than
the time it takes smtpd(8) to deliver a connection status update to
anvil(8). Not a problem in practice.)

* Rate = connections per time quantum (still subject to message latency,
but much less important over the longer time scale).