Hi,

We have a Postfix mail server that relays emails from our customers to internal SAP servers. We want to secure the server as much as possible to avoid DoS attacks and performance issues, so we set this in main.cf.


To increase security, we are thinking of bandwidth limitation based on sender IP address, so a attacker could not quickly fill up the mail queue with large udeliverable mails.

I don't think, postfix offers such option, however is there a solution, that enables it? The best would be if we could set it up directly on mail server, because we are not able to set anything on the routers.

Thanks for helping.

IPtables ?

http://www.debian-administration.org/articles/187

Might look at a dedicated solution before the server. http://www.untangle.com/spam-blocker

Thanks both for the replies
To smoker: AFAIK iptables can only limit number of connections, not the bandwidth. Or am I wrong? Number of connections is already controlled by Postfix To jefro: The mails that are relayed by our server are encrypted messages echanged between SAP servers so I think the spam blocker is not easily applicable. There are about 50 thousand messages a day.

tc does bandwidth limiting based on IP address or a number of different parameters. Setup is somewhat complicated if you have never used tc before. But you don't have to install anything additional, it is already part of your running kernel. It only has to be configured.

The only problem might be is that you can only limit outgoing traffic. You only have control over what you send. If you receive things, it is already sent to you and it is difficult to limit that. There are solutions to do traffic shaping on incoming traffic by creating an intermediate device which receives unlimited on one end, and limits outgoing traffic to the rest of you box, but that is an extra setup step.

http://lartc.org/howto/
http://www.linux.org/docs/ldp/howto/...WTO/intro.html
http://www.topwebhosts.org/tools/traffic-control.php

jlinkels

jlinkels, thanks for your answer. Do you think, it would be somehow possible to use the behavior of TCP protocol (flow control)?
It would work like this:
There would be a network monitor on the mail server, monitoring bandwidth usage and if let's say 10 MB has been sent from one IP address in the last minute, it would cause descreasing of TCP window size resulting in slowing down the connection.

Thanks.

Hi,

I'd be interested in what Postfix does with any prospective connections that are over the 60 per minute as defined by
Are they queued or rejected ?


I mentioned IPtables because I thought maybe it would be better if the postfix server didn't have to deal with the overhead of DoS limiting. Using IPtables, postfix won't even see those requests that are breaking the rules.

Possibly use both methods ?

I agree IPtables doesn't limit bandwidth.

regards

Alan

Traffic shaping (which is bandwidth limiting in the sense you mean) on incoming traffic called ingress shaping is not quite impossible. It can be done in a limited way and then the flow control of TCP is used. It causes the sender to cease sending packets. But it is seldomly used as few configuration options are available. The article on lartc.org explains this.

Well I don't know how exactly it works but the effect is similar as you describe.

Since you are thinking in the direction of limiting incoming traffic I would advice to study the IMQ device. It is also briefly discussed in the lartc.org article. The IMQ is another pseudo network device and is placed between the incoming network device and your mail server. The IMQ does not limit on the incoming stream, but does so on the outgoing stream which is towards your mail server, effectively limiting the traffic input to your mail server.

The advantage of the IMQ is that you are shaping outgoing traffic which means you can apply all sort of queue disciplines like the HTB which is generally considered the most versatile. Like I said before, ingress traffic shaping offer much less options. There was a discussion some years ago whether the IMQ should become a standard part of the kernel. If it is not included, you'd have to recompile the kernel.

A word of warning though. I can't comment on you intention of traffic limiting towards the mail server. I have nil experience with this sort of security issues. I can tell you something about traffic shaping and I have been using the IMQ device for that purpose. But I am not able to tell you if this is the good approach in your mail server environment. Hopefully other people are more knowledgable.

The mails over the limit are rejected and this message is logged

I have read some guides to QoS and it seems quite clear to me how to set it up. However, the main goal is to cut down the sender's bandwidth (temporarily), when reaching the threshold and I think, I can't achieve this. There would have to be bandwidth monitoring and if a threshold was reached it would cause placing the sender to a shaped queue. I assume, this could be done by a script, but there must be a better solution. Something similar to SQUID "delay pools" would be the solution.

I can't remember where I found this elsewhere in forum but this is relevant to what you are trying to do if using iptables. http://linuxgazette.net/108/odonovan.html

Thanks richinsc. I think the iptables quota module is not applicable for me, because I just want to cut down the sender's bandwidh when reaching the quota, not to drop the connection.