Re: [exim] rate limit on local accounts?

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim-users
Subject: Re: [exim] rate limit on local accounts?
Dave Evans wrote:

>> So unless I can figure out a way to "do the auth one way" when they use
>> webmail and "do the auth another way" when they remote smtp.. I am stuck
>> using relaying by IP (127.0.0.1).
>>
>> Does that make sense?
>
> Errr... sort of. Let me just check I understand correctly so far:
>
> Mail from your users arrives via two separate routes:
>
>> accept authenticated = *
>>    control = submission/domain=

>
> i.e. SMTP AUTH from any source. Ideally each user has a unique ID (no
> sharing), and each user has /only/ one ID.
>
>> accept hosts    =    +relay_from_hosts
>>    control = submission/domain=

>
> i.e. unauthenticated SMTP from any host in +relay_from_hosts. You didn't show
> us what's in that list, though, so this could be anything.
>
> Plus also there's non-SMTP submission, but I think you're saying you don't use
> that - at least not for your user mail.
>
> So far so good?
>
> The key to this kind of rate limiting is being able to tell (within the Exim
> ACLs) which user sent each email. In the SMTP AUTH case, you can tell which
> user sent the email by reading $authenticated_id. However in the
> +relay_from_hosts case it's unclear how this might be done.
>
> Is the +relay_from_hosts case /only/ used to deal with squirrelmail (on
> 127.0.0.1)? Does squirrelmail send SMTP AUTH? If the answers to those
> questions are yes and no respectively, then - just a guess - can you read a
> header set by squirrelmail which tells you which user submitted the mail?
>
> It sounds like you might end up with two separate ratelimit clauses - one for
> SMTP AUTH and another for squirrelmail. But how you proceed depends on the
> questions above.


If it helps, here's how we do it with IMP. Email is sent using the
command line rather than via SMTP so we catch it in the notsmtp acl.
First we parse out the username from the received header (which IMP
adds) with:

warn set acl_m0 = ${if
match{$h_Received:}{\N.+<([^>@]+)@localhost>;\N}{$1}{}}

Then we freeze any mail in the queue that exceeds the ratelimit with:

warn condition = ${if !eq{$acl_m0}{}}
      ratelimit = 100 / 1d / leaky / user-$acl_m0
      control   = freeze


--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)