[exim] Re: [exim-dev] New ratelimit in 4.52

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: Sam Michaels
CC: exim-users, exim-dev
Subject: [exim] Re: [exim-dev] New ratelimit in 4.52
On Tue, 28 Jun 2005, Sam Michaels wrote:

Questions about how to configure Exim are not appropriate for -dev
so I am redirecting this to the -users list.

> I was hoping to get some clarification on the new rate limiting ACL
> condition. While we definitely need rate limiting for accepted
> messages, I'd like it to track everything EXCEPT accepted messages.
> If a host keeps sending bum messages (whether dropped or denied) I
> want to throttle him in the connect ACL as not to waste any more
> resources.
>
> A good example are the virus drones. They just keep sending and
> sending and sending...each time they get a deny for an unknown user or
> a deny from the malware condition. Once they exceed a certain amount
> in a certain time, I don't even want them to get the welcome banner.
> They get the maximum delay permitted by the RFC and then a 451.
>
> Am I missing something or is this missing the ability to rate limit
> based on failure instead of success?


Exim's ACLs don't make this kind of thing particularly easy because they
are mostly straight line code, so if you want to write an ACL with a
structure like "if condition then complicated thing else other complicated
thing" you have to fiddle a bit. This partly explains the accept/endpass
feature, which allows a limited two-branch conditional.

The ratelimit condition has very few restrictions. It just measures how
often is is evaluated and returns true or false if this is above the
limit. (There are a few bells and whistles, but that's the essence.) So
you can use it to measure the rate of anything that an ACL can detect. You
can limit the rate of invalid recipients like this:

    require acl = aux_verify_recipient


...

aux_verify_recipient:

    accept verify = recipient


    drop
      ratelimit = ... / ... / per_rcpt / strict
      delay = ...


    deny


It might be worth adding a read-only string expansion for looking up a
client's rate, for doing more complicated things like denying connections,
but I don't have time for that at the moment.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}