Re: [EXIM] Restricting connections from a single IP address

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Nigel Metheringham
Date:  
À: Philip Hazel
CC: exim-users
Sujet: Re: [EXIM] Restricting connections from a single IP address
Here is my lightly tested patch for handling address session restriction.

I add one config variable:-
    smtp_accept_host_max


which is integer and defaults to zero (ie inactive - same as current
normal practice).

If set and positive, you may have a maximum of smtp_accept_host_max from
any one network address active at a time. The daemon checks this limit
before forking the accept process (this will result in slightly slower
accepting of connections should this feature be used, but protects you
against someone hitting you hard to attempt to overload the machine with
forked processes).

The code is written with a mind to working with both IPv4 and IPv6
although I can only test with IPv4. It will also work with any other
networking technologies in the future for which the sender_host_address is
valid. As with other exim limits it will only work if exim is run as a
daemon.

Cost of this code (if active):-
    - 1 sender_host_address string stored in memory for
        each active incoming SMTP connection
    - linear search of active connection table for each new
        SMTP connection.  This is short circuited as much as
        I can so often it will terminate early, but in many
        cases you are going to do a string compare for each
        currently active connection.


    Nigel.


[ Nigel.Metheringham@??? - Systems Software Engineer ]
[ Tel : +44 113 207 6112                   Fax : +44 113 234 6065 ]
[      Real life is but a pale imitation of a Dilbert strip       ]