Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We have a Postfix mail server that relays emails from our customers to internal SAP servers. We want to secure the server as much as possible to avoid DoS attacks and performance issues, so we set this in main.cf.
To increase security, we are thinking of bandwidth limitation based on sender IP address, so a attacker could not quickly fill up the mail queue with large udeliverable mails.
I don't think, postfix offers such option, however is there a solution, that enables it? The best would be if we could set it up directly on mail server, because we are not able to set anything on the routers.
Thanks both for the replies
To smoker: AFAIK iptables can only limit number of connections, not the bandwidth. Or am I wrong? Number of connections is already controlled by Postfix
Code:
smtpd_client_connection_rate_limit = 60
To jefro: The mails that are relayed by our server are encrypted messages echanged between SAP servers so I think the spam blocker is not easily applicable. There are about 50 thousand messages a day.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
tc does bandwidth limiting based on IP address or a number of different parameters. Setup is somewhat complicated if you have never used tc before. But you don't have to install anything additional, it is already part of your running kernel. It only has to be configured.
The only problem might be is that you can only limit outgoing traffic. You only have control over what you send. If you receive things, it is already sent to you and it is difficult to limit that. There are solutions to do traffic shaping on incoming traffic by creating an intermediate device which receives unlimited on one end, and limits outgoing traffic to the rest of you box, but that is an extra setup step.
jlinkels, thanks for your answer. Do you think, it would be somehow possible to use the behavior of TCP protocol (flow control)?
It would work like this:
There would be a network monitor on the mail server, monitoring bandwidth usage and if let's say 10 MB has been sent from one IP address in the last minute, it would cause descreasing of TCP window size resulting in slowing down the connection.
I'd be interested in what Postfix does with any prospective connections that are over the 60 per minute as defined by
Code:
smtpd_client_connection_rate_limit = 60
Are they queued or rejected ?
I mentioned IPtables because I thought maybe it would be better if the postfix server didn't have to deal with the overhead of DoS limiting. Using IPtables, postfix won't even see those requests that are breaking the rules.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
Quote:
Originally Posted by tikit
jlinkels, thanks for your answer. Do you think, it would be somehow possible to use the behavior of TCP protocol (flow control)?
Traffic shaping (which is bandwidth limiting in the sense you mean) on incoming traffic called ingress shaping is not quite impossible. It can be done in a limited way and then the flow control of TCP is used. It causes the sender to cease sending packets. But it is seldomly used as few configuration options are available. The article on lartc.org explains this.
Quote:
Originally Posted by tikit
There would be a network monitor on the mail server, monitoring bandwidth usage and if let's say 10 MB has been sent from one IP address in the last minute, it would cause descreasing of TCP window size resulting in slowing down the connection.
Thanks.
Well I don't know how exactly it works but the effect is similar as you describe.
Since you are thinking in the direction of limiting incoming traffic I would advice to study the IMQ device. It is also briefly discussed in the lartc.org article. The IMQ is another pseudo network device and is placed between the incoming network device and your mail server. The IMQ does not limit on the incoming stream, but does so on the outgoing stream which is towards your mail server, effectively limiting the traffic input to your mail server.
The advantage of the IMQ is that you are shaping outgoing traffic which means you can apply all sort of queue disciplines like the HTB which is generally considered the most versatile. Like I said before, ingress traffic shaping offer much less options. There was a discussion some years ago whether the IMQ should become a standard part of the kernel. If it is not included, you'd have to recompile the kernel.
A word of warning though. I can't comment on you intention of traffic limiting towards the mail server. I have nil experience with this sort of security issues. I can tell you something about traffic shaping and I have been using the IMQ device for that purpose. But I am not able to tell you if this is the good approach in your mail server environment. Hopefully other people are more knowledgable.
I have read some guides to QoS and it seems quite clear to me how to set it up. However, the main goal is to cut down the sender's bandwidth (temporarily), when reaching the threshold and I think, I can't achieve this. There would have to be bandwidth monitoring and if a threshold was reached it would cause placing the sender to a shaped queue. I assume, this could be done by a script, but there must be a better solution. Something similar to SQUID "delay pools" would be the solution.
I can't remember where I found this elsewhere in forum but this is relevant to what you are trying to do if using iptables. http://linuxgazette.net/108/odonovan.html
Thanks richinsc. I think the iptables quota module is not applicable for me, because I just want to cut down the sender's bandwidh when reaching the quota, not to drop the connection.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.