Greetings all, this may be a long post, but bear with me. Most of the info is just code and command line snippets.

Essentially, I needed a way to be able to agressively rate limit the number of mails that were being sent TO a specific domain (the whole domain), any mail that exceeded the rate limit needs to be rejected of dropped. Not delayed of deferred.

The main issue? I cannot use Exim or any other friendly MTA. I MUST use postfix, so here we are, with Postfix and PostFWD, and a couple of issues.

So to begin with, I verify that my rate limit rule exists in postfwd and is interpreted correctly from postfwd.cf in the postfix directory (it is):
The above rate limits all outbound mail destined for anything @dave-byrne.co.uk to just 3emails within a 30minute window. The domain is my own for testing, but in production, this will rate limit messages bound for an external Email to SMS gateway.

A quick check to ensure Postfix and PostFWD are up and listening (they are):
I then fire sample requests at the PostFWD server listening internally on port 10040. you can see PostFWD passes (with its DUNNO action) 3 mails, before applying the rate limit to the 4th and rejecting it with a 421. Perfect. Now to just make Postfix use PostFWD!
An excerpt from /var/log/maillog showing the rate limit applying to the 4th message above
So, to integrate with Postfix, I added the following to my postfix main.cf file:
This is all as per the PostFWD documentation.

I then use telnet locally to connect to Postfix and send emails to admin[at]dave-byrne.co.uk. Like so:
I do this 4, 5, 6 times, the 4th should have rate limited like it did when using netcat to directly fire them at PostFWD. But it doesn't, postfix just merrily goes about its business relaying the mails like it thinks it should. I can send a hundred and it wont even think about rate limiting. During this time, PostFWD prints NOTHING to the logs, it isn't hit at all, it doesn't pass anything, it doesn't block anything. Postfix isn't using PostFWD, even though its set in smtpd_recipient_restrictions as a check_policy_service.

And this is where I'm stuck. 3 days in and I'm none the wiser. Has anyone ever used PostFWD (Postfix Firewall Daemon) before successfully, with any type of rule set, regardless of rate limiting. I'm open to many suggestions, however I cannot change from postfix, I cannot change OS, and I cannot hand off to an external intermediate mail relay due to security concerns and workflow issues with what's actually being sent.

Thanks all,
Dave.

Immediately after asking this question, I realised that postfix recipient restrictions are executed in the order they appear in main.cf. So my

... Was returning a hard 'OK' at 'permit_mynetworks'. An OK will stop processing further restrictions.

I resolved my issue by placing the check_policy_service at the top of my smtp recipient restrictions. If PostFWD passes a mail, it replies with 'DUNNO' or rather 'DUNNO/OK', this passes, but continues to run further smtp restrictions.

With this in place, PostFWD was free to pass the mail that didn't trigger the rate limit, but once it did trigger the rate limit, it replied with a 421 rejection. Exactly what I wanted.

So keep in mind, the order in which you restrict, and what you are actually restricting, matters quite a lot.

Please note that this is a private internal mail server that serves one very specific purpose. Do not use this code for a production or shared mail server