[exim] ratelimit woes

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jan Ingvoldstad
Dátum:  
Címzett: exim-users
Tárgy: [exim] ratelimit woes
Hello.

I'm a Debian user battling with Exim 4.72 backported to lenny.

I've read the documentation over and over
(http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html
section 36 to 40), googled myself half to death, scoured the mailing
list, and yet ratelimiting remains black box magic.

Currently, I've reached some sort of equilibrium, where one out of
four rules fail to do anything at all, while the others work nicely.

What I'm trying to do, is to apply different rate limits for different
time intervals, and I'm experimenting with low limits before putting
this into production.

The limits are currently, in order:

60 per day
50 per hour
2 per minute

Additionally, I use the logging example from the docs.

Strangely enough, even though I use strict copy-and-paste replacing
ONLY the number and 'd' in "1d" (or 'm' in "1m"), the ratelimit per
hour is NEVER activated. At the time of testing my rate was, according
to the logging rule:

2011-02-17 17:30:44 [32348] Rate: 60.1/1h root@DOMAIN_1
(DOMAIN_1[IP_ADDRESS]) -> jan@DOMAIN_2

Testing is performed by creating fresh SMTP connections for each RCPT
TO command, for simplicity's sake.

When I passed 50/1h but was still below 60/1d, I got the following in SMTP time:

rcpt to:<jan@DOMAIN_2>
250 Accepted

If I provoked more than 2/1m, I got the following:

rcpt to:<jan@DOMAIN_2>
550 Sending rate exceeded, 2.2/1m (max 2/1m)

When I passed 60/1d:

rcpt to:<jan@DOMAIN_2>
550 Sending rate exceeded, 60.2/1d (max 60/1d)


It fails consistently, regardless of the order of the rules, and also
if I cut out either the per minute or daily rate rules, and regardless
of whether I start with a fresh copy-paste of the per minute rule or
daily rate rule as a basis for substituting "50" and "h" respectively.

So, I'm essentially deep in WTF land.

Does anyone have a good explanation why this would fail for the hourly
rate rule, and not for the others?



Here is the relevant part of the configuration:

# ----------
acl_check_rcpt:

  warn ratelimit = 0 / 1h / strict
       logwrite = :main: \
                  Rate: $sender_rate/$sender_rate_period \
                  $message_id \
                  $sender_address ($sender_host_name[$sender_host_address]) \
                   -> $local_part@$domain

  deny authenticated = *
       ratelimit = 60 / 1d / strict / $authenticated_id
       message = Sending rate exceeded, $sender_rate/$sender_rate_period \
                 (max $sender_rate_limit/$sender_rate_period)
       logwrite = :main,reject: \
                  Rate exceeded:  $sender_rate/$sender_rate_period \
                  (max $sender_rate_limit) $message_id \
                  $sender_address ($sender_host_name[$sender_host_address]) \
                   -> $local_part@$domain

  deny authenticated = *
       ratelimit = 50 / 1h / strict / $authenticated_id
       message = Sending rate exceeded, $sender_rate/$sender_rate_period \
                 (max $sender_rate_limit/$sender_rate_period)
       logwrite = :main,reject: \
                  Rate exceeded:  $sender_rate/$sender_rate_period \
                  (max $sender_rate_limit) $message_id \
                  $sender_address ($sender_host_name[$sender_host_address]) \
                   -> $local_part@$domain


  deny authenticated = *
       ratelimit = 2 / 1m / strict / $authenticated_id
       message = Sending rate exceeded, $sender_rate/$sender_rate_period \
                 (max $sender_rate_limit/$sender_rate_period)
       logwrite = :main,reject: \
                  Rate exceeded:  $sender_rate/$sender_rate_period \
                  (max $sender_rate_limit) $message_id \
                  $sender_address ($sender_host_name[$sender_host_address]) \
                   -> $local_part@$domain



--
Jan