Georgi Petrov
2014-04-18 15:03:16 UTC
Hello all,
Recently milter-greylist was added to Virtualmin GPL as a mail rate
limiting option. The default setting is pretty basic and not satisfactory.
Therefore I will try to propose more advanced settings/setup.
Milter-greylist is of course way more capable than just limiting the rate
of the emails sent, but as this is one really important feature lets start
with it.
Rate limiting is important because:
- brute foreced/hijacked mail accounts can be used for sending huge
amount of spam. I've seen something like 100K emails sent in a night. Of
course the IP gets listed as spammer immediately. Rate limiting can slow
this down. The admin will have time to react (possibly the admin will be
warned).
- in a shared environment unfair users can send spam using their own
accounts
- websites get hacked and scripts that send spam can be installed there
- there are certain DoS attacks that can block the email service. For
example huge amount of incoming emails to existing users, containing virus.
The virus protection (if any) will block them, but the whole service can
slow down or completely become blocked.
What we want to achieve with our basic rate limiting:
- mail sent from localhost (via PHP, sendmail or webmail) should be
limited using the user as key. We should block the user and not the IP as
if we block the IP (127.0.0.1), nobody will be able to send anymore. We
should probably use the "from" field, as there is no sasl authentication
for localhost, but scamming the "from" field is not possible (I should
double check this).
- mails sent via email clients (Thunderbird etc.) should be limited by
the IP or the user. If we use the user it is probably better to use the
sasl authentication user, not the "from" field, as it can be scammed. If we
use the IP this can be combined with the next rule, but it will also block
multiple users using the same IP, one of which is sending too many emails.
- mail coming from other mail servers for local users should be limited
by the IP. This is for DoS prevention only, the limit here should be high.
- all users/IPs should be greylisted if they go over the ratelimit as we
want them to be able to send emails after some time and not blacklist them
forever.
Here is the original Virtualmin ratelimit rule, which is obviously not good
at all (the actual number of emails is controlled by the user via the
webinterface):
ratelimit "virtualmin_limit" rcpt 30 / 30m
racl blacklist from /.*/ ratelimit "virtualmin_limit" msg "Message quota
exceeded"
racl whitelist default
If somebody sends too many emails from localhost, it gets blacklisted and
nobody can send anymore.
Here is my modified version:
ratelimit "virtualmin_limit" rcpt 30 / 30m key "%f"
racl greylist from /.*/ ratelimit "virtualmin_limit" delay 31m autowhite 0m
msg "Message quota exceeded"
racl whitelist default
It works as expected limiting per user. If somebody sends too many emails
from PHP all the emails wait in the queue until the user drops below the
limit. The drawback is that it does not treat local and non local email
differently. So it needs improvement.
Here are my specific questions:
- How I can achieve two different rate limit rules for localhost and non
localhost (I have tried with some rules but they didn't work)?
- Is there a better way to limit the emails from PHP? They cannot be
rejected, so they go in the mail queue and wait there. The queue tries to
resend them every few minutes and they are rejected again until the rate
drops under the limit.
- Can we achieve some sort admin notification if the ratelimit is blocking
somebody? Now I can have warning notifications if the mail queue gets very
big.
Thanks a lot for your ideas, comments and time!
Georgi
Recently milter-greylist was added to Virtualmin GPL as a mail rate
limiting option. The default setting is pretty basic and not satisfactory.
Therefore I will try to propose more advanced settings/setup.
Milter-greylist is of course way more capable than just limiting the rate
of the emails sent, but as this is one really important feature lets start
with it.
Rate limiting is important because:
- brute foreced/hijacked mail accounts can be used for sending huge
amount of spam. I've seen something like 100K emails sent in a night. Of
course the IP gets listed as spammer immediately. Rate limiting can slow
this down. The admin will have time to react (possibly the admin will be
warned).
- in a shared environment unfair users can send spam using their own
accounts
- websites get hacked and scripts that send spam can be installed there
- there are certain DoS attacks that can block the email service. For
example huge amount of incoming emails to existing users, containing virus.
The virus protection (if any) will block them, but the whole service can
slow down or completely become blocked.
What we want to achieve with our basic rate limiting:
- mail sent from localhost (via PHP, sendmail or webmail) should be
limited using the user as key. We should block the user and not the IP as
if we block the IP (127.0.0.1), nobody will be able to send anymore. We
should probably use the "from" field, as there is no sasl authentication
for localhost, but scamming the "from" field is not possible (I should
double check this).
- mails sent via email clients (Thunderbird etc.) should be limited by
the IP or the user. If we use the user it is probably better to use the
sasl authentication user, not the "from" field, as it can be scammed. If we
use the IP this can be combined with the next rule, but it will also block
multiple users using the same IP, one of which is sending too many emails.
- mail coming from other mail servers for local users should be limited
by the IP. This is for DoS prevention only, the limit here should be high.
- all users/IPs should be greylisted if they go over the ratelimit as we
want them to be able to send emails after some time and not blacklist them
forever.
Here is the original Virtualmin ratelimit rule, which is obviously not good
at all (the actual number of emails is controlled by the user via the
webinterface):
ratelimit "virtualmin_limit" rcpt 30 / 30m
racl blacklist from /.*/ ratelimit "virtualmin_limit" msg "Message quota
exceeded"
racl whitelist default
If somebody sends too many emails from localhost, it gets blacklisted and
nobody can send anymore.
Here is my modified version:
ratelimit "virtualmin_limit" rcpt 30 / 30m key "%f"
racl greylist from /.*/ ratelimit "virtualmin_limit" delay 31m autowhite 0m
msg "Message quota exceeded"
racl whitelist default
It works as expected limiting per user. If somebody sends too many emails
from PHP all the emails wait in the queue until the user drops below the
limit. The drawback is that it does not treat local and non local email
differently. So it needs improvement.
Here are my specific questions:
- How I can achieve two different rate limit rules for localhost and non
localhost (I have tried with some rules but they didn't work)?
- Is there a better way to limit the emails from PHP? They cannot be
rejected, so they go in the mail queue and wait there. The queue tries to
resend them every few minutes and they are rejected again until the rate
drops under the limit.
- Can we achieve some sort admin notification if the ratelimit is blocking
somebody? Now I can have warning notifications if the mail queue gets very
big.
Thanks a lot for your ideas, comments and time!
Georgi