AW: [Exim] exim fine-tuning

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Bauer, Felix
Ημερομηνία:  
Προς: Scott Call
Υ/ο: Exim-users
Αντικείμενο: AW: [Exim] exim fine-tuning
Hi,

thx for your reply!

> > last weekend I experienced a DoS *cheer*. In fact this wasn't as
> > funny[...]
>
> I hate that, sucks doesn't it? On my main exim system (Dual Xeon
> 2.4's, 1 gig of ram ,etc etc) I can handle the 200K delivered

(+1million
> bonked but RBL/Syntax/etc) pretty well, but we do see DoS/DDos

attacks,
> and have had to tune exim to help it survive.


Seriously, yes. :)

> To fend them off, I've implemented the following:
> smtp_accept_max = 512

sounds good

> smtp_accept_max_per_host = 20

sounds good

> queue_only_load = 15
> smtp_load_reserve = 15

I will wait until I get some stuff of that host and try that with
caution.

> smtp_reserve_hosts = +relay_from_hosts
> deliver_queue_load_max = 10
>
> While it may not be optimal, it does the trick. With a smaller box

(and
> expected connection rate) you can, of course, set the accept_max and
> accept_max_per_host to lower #'s. With a per-host of 20, I still get
> several times a day when a specific host tries to connect more than 20
> times. When I check the logs it's usually sending spam or viruses.
>
> The reserve stuff is there so that if the box just gets too busy, it

4xx's
> outside SMTP but accepts email from my customers. This way my

customer
> support folks don't have to take "why isn't my outlook outbox

emptying"
> calls.


If they don't call for outlook, they call for something else...
I also changed rfc1413_query_timeout to 0s to disable this feature.

> I'm also fairly aggressive with reject HELOs with non domain literal

IPs,
> and my local hostname, which kills a lot of automated attacks.


That sounds interessting. Maybe I'll just mark those emails with SA and
get
make some stats, since I don't know yet how much "good" mails use
literal IPs with HELOs.

> I also check a text file for explictly denied hosts with a connect

ACL,
> and add/subtract from that file if a specific IP is hitting me too

hard.

I started blocking "strange" hosts (for example my special friend from
84.30.55.80/qe84.internetdsl.tpnet.pl *hrhrhr*)

> Also, not knocking on SA-Exim (I've never used it) but maybe exiscan

which
> connects to spamd directly might be more efficient than spawning spamc
> with every message?


Well forking spamc for a small time is ok IMHO. I use SA-exim, since it
provides me with several usefull features where exiscan-acls leaks and
exiscan only for malware and some other nice tweaks.


thx
-fe

>
> Like I said, I'm sure there are better ways to do it than I have,

since
> I'm still learning too, but I figure it might help to share.
>
> Thanks
> -Scott
>
> --
> Scott Call    Router Geek, ATGi, home of $6.95 Prime Rib
> I make the world a better place, I boycott Wal-Mart
> VoIP incoming: +1 360-382-1814