[exim-cvs] Improved ratelimit ACL condition.

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Improved ratelimit ACL condition.
Gitweb: http://git.exim.org/exim.git/commitdiff/c99ce5c9a3ff397497892a741079be2edf385de2
Commit:     c99ce5c9a3ff397497892a741079be2edf385de2
Parent:     921b12ca0c361b9c543368edf057712afa02ca14
Author:     Tony Finch <dot@???>
AuthorDate: Mon Jun 13 21:48:24 2011 +0100
Committer:  Tony Finch <dot@???>
CommitDate: Fri Jun 17 16:53:05 2011 +0100


    Improved ratelimit ACL condition.


    Replace /noupdate with simpler /readonly option. (/noupdate is
    supported for backwards compatibility but no longer documented.)


    Better checking of the compatibility between per_* options and the
    ACL in which the ratelimit condition appears.


    Better handling of the start of a burst of email and of very low-rate
    clients.


    The new /count= option generalizes the per_byte and per_rcpt options.


    The new /unique= option is a rather groovy use for a Bloom filter.
---
 doc/doc-docbook/spec.xfpt |  236 +++++++++++++++--------
 doc/doc-txt/ChangeLog     |   51 +++++
 src/OS/Makefile-Base      |    4 +-
 src/src/acl.c             |  458 ++++++++++++++++++++++++++++++++++++---------
 src/src/dbstuff.h         |    9 +
 src/src/exim_dbutil.c     |  155 ++++++++++------
 6 files changed, 684 insertions(+), 229 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index fb27218..f892f20 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -27226,69 +27226,118 @@ rate at which a recipient receives messages, you can use the key
&`$local_part@$domain`& with the &%per_rcpt%& option (see below) in a RCPT
ACL.

-Internally, Exim appends the smoothing constant &'p'& and the options onto the
-lookup key because they alter the meaning of the stored data. This is not true
-for the limit &'m'&, so you can alter the configured maximum rate and Exim will
-still remember clients' past behaviour, but if you alter the other ratelimit
-parameters Exim forgets past behaviour.
-
-Each &%ratelimit%& condition can have up to three options. One option
-specifies what Exim measures the rate of, and the second specifies how Exim
-handles excessively fast clients. The third option can be &`noupdate`&, to
-disable updating of the ratelimiting database (see section &<<rearatdat>>&).
-The options are separated by a slash, like the other parameters. They may
-appear in any order.
+Each &%ratelimit%& condition can have up to four options. A &%per_*%& option
+specifies what Exim measures the rate of, for example messages or recipients
+or bytes. You can adjust the measurement using the &%unique=%& and/or
+&%count=%& options. You can also control when Exim updates the recorded rate
+using a &%strict%&, &%leaky%&, or &%readonly%& option. The options are
+separated by a slash, like the other parameters. They may appear in any order.
+
+Internally, Exim appends the smoothing constant &'p'& onto the lookup key with
+any options that alter the meaning of the stored data. The limit &'m'& is not
+stored, so you can alter the configured maximum rate and Exim will still
+remember clients' past behaviour. If you change the &%per_*%& mode or add or
+remove the &%unique=%& option, the lookup key changes so Exim will forget past
+behaviour. The lookup key is not affected by changes to the update mode and
+the &%count=%& option.
+

.section "Ratelimit options for what is being measured" "ratoptmea"
-The &%per_conn%& option limits the client's connection rate.
+.cindex "rate limiting" "per_* options"
+The &%per_conn%& option limits the client's connection rate. It is not
+normally used in the &%acl_not_smtp%&, &%acl_not_smtp_mime%&, or
+&%acl_not_smtp_start%& ACLs.

The &%per_mail%& option limits the client's rate of sending messages. This is
-the default if none of the &%per_*%& options is specified.
-
-The &%per_byte%& option limits the sender's email bandwidth. Note that it is
-best to use this option in the DATA ACL; if it is used in an earlier ACL it
-relies on the SIZE parameter specified by the client in its MAIL command,
-which may be inaccurate or completely missing. You can follow the limit &'m'&
-in the configuration with K, M, or G to specify limits in kilobytes,
-megabytes, or gigabytes, respectively.
-
-The &%per_rcpt%& option causes Exim to limit the rate at which
-recipients are accepted. To be effective, it would need to be used in
-either the &%acl_smtp_rcpt%& or the &%acl_not_smtp%& ACL. In the
-&%acl_smtp_rcpt%& ACL, the number of recipients is incremented by one.
-In the case of a locally submitted message in the &%acl_not_smtp%& ACL,
-the number of recipients is incremented by the &%$recipients_count%&
-for the entire message. Note that in either case the rate limiting
-engine will see a message with many recipients as a large high-speed
-burst.
+the default if none of the &%per_*%& options is specified. It can be used in
+&%acl_smtp_mail%&, &%acl_smtp_rcpt%&, &%acl_smtp_predata%&, &%acl_smtp_mime%&,
+&%acl_smtp_data%&, or &%acl_not_smtp%&.
+
+The &%per_byte%& option limits the sender's email bandwidth. It can be used in
+the same ACLs as the &%per_mail%& option, though it is best to use this option
+in the &%acl_smtp_mime%&, &%acl_smtp_data%& or &%acl_not_smtp%& ACLs; if it is
+used in an earlier ACL, Exim relies on the SIZE parameter given by the client
+in its MAIL command, which may be inaccurate or completely missing. You can
+follow the limit &'m'& in the configuration with K, M, or G to specify limits
+in kilobytes, megabytes, or gigabytes, respectively.
+
+The &%per_rcpt%& option causes Exim to limit the rate at which recipients are
+accepted. It can be used in the &%acl_smtp_rcpt%&, &%acl_smtp_predata%&,
+&%acl_smtp_mime%&, &%acl_smtp_data%&, or &%acl_smtp_rcpt%& ACLs. In
+&%acl_smtp_rcpt%& the rate is updated one recipient at a time; in the other
+ACLs the rate is updated with the total recipient count in one go. Note that
+in either case the rate limiting engine will see a message with many
+recipients as a large high-speed burst.
+
+The &%per_addr%& option is like the &%per_rcpt%& option, except it counts the
+number of different recipients that the client has sent messages to in the
+last time period. That is, if the client repeatedly sends messages to the same
+recipient, its measured rate is not increased. This option can only be used in
+&%acl_smtp_rcpt%&.

 The &%per_cmd%& option causes Exim to recompute the rate every time the
-condition is processed. This can be used to limit the SMTP command rate.
-This command is essentially an alias of &%per_rcpt%& to make it clear
-that the effect is to limit the rate at which individual commands,
-rather than recipients, are accepted.
+condition is processed. This can be used to limit the rate of any SMTP
+command. If it is used in multiple ACLs it can limit the aggregate rate of
+multiple different commands.
+
+The &%count=%& option can be used to alter how much Exim adds to the client's
+measured rate. For example, the &%per_byte%& option is equivalent to
+&`per_mail/count=$message_size`&. If there is no &%count=%& option, Exim
+increases the measured rate by one (except for the &%per_rcpt%& option in ACLs
+other than &%acl_smtp_rcpt%&). The count does not have to be an integer.
+
+The &%unique=%& option is described in section &<<ratoptuniq>>& below.
+
+
+.section "Ratelimit update modes" "ratoptupd"
+.cindex "rate limiting" "reading data without updating"
+You can specify one of three options with the &%ratelimit%& condition to
+control when its database is updated. This section describes the &%readonly%&
+mode, and the next section describes the &%strict%& and &%leaky%& modes.
+
+If the &%ratelimit%& condition is used in &%readonly%& mode, Exim looks up a
+previously-computed rate to check against the limit.
+
+For example, you can test the client's sending rate and deny it access (when
+it is too fast) in the connect ACL. If the client passes this check then it
+can go on to send a message, in which case its recorded rate will be updated
+in the MAIL ACL. Subsequent connections from the same client will check this
+new rate.
+.code
+acl_check_connect:
+  deny ratelimit = 100 / 5m / readonly
+       log_message = RATE CHECK: $sender_rate/$sender_rate_period \
+                     (max $sender_rate_limit)
+# ...
+acl_check_mail:
+  warn ratelimit = 100 / 5m / strict
+       log_message  = RATE UPDATE: $sender_rate/$sender_rate_period \
+                      (max $sender_rate_limit)
+.endd


-.section "Ratelimit options for handling fast clients" "ratophanfas"
+If Exim encounters multiple &%ratelimit%& conditions with the same key when
+processing a message then it may increase the client's measured rate more than
+it should. For example, this will happen if you check the &%per_rcpt%& option
+in both &%acl_smtp_rcpt%& and &%acl_smtp_data%&. However it's OK to check the
+same &%ratelimit%& condition multiple times in the same ACL. You can avoid any
+multiple update problems by using the &%readonly%& option on later ratelimit
+checks.
+
+The &%per_*%& options described above do not make sense in some ACLs. If you
+use a &%per_*%& option in an ACL where it is not normally permitted then the
+update mode defaults to &%readonly%& and you cannot specify the &%strict&% or
+&%leaky%& modes. In other ACLs the default update mode is &%leaky%& (see the
+next section) so you must specify the &%readonly%& option explicitly.
+
+
+.section "Ratelimit options for handling fast clients" "ratoptfast"
+.cindex "rate limiting" "strict and leaky modes"
If a client's average rate is greater than the maximum, the rate limiting
engine can react in two possible ways, depending on the presence of the
-&%strict%& or &%leaky%& options. This is independent of the other
+&%strict%& or &%leaky%& update modes. This is independent of the other
counter-measures (such as rejecting the message) that may be specified by the
-rest of the ACL. The default mode is leaky, which avoids a sender's
-over-aggressive retry rate preventing it from getting any email through.
+rest of the ACL.

-The &%strict%& option means that the client's recorded rate is always
-updated. The effect of this is that Exim measures the client's average rate
-of attempts to send email, which can be much higher than the maximum it is
-actually allowed. If the client is over the limit it may be subjected to
-counter-measures by the ACL until it slows down below the maximum rate. If
-the client stops attempting to send email for the time specified in the &'p'&
-parameter then its computed rate will decay exponentially to 37% of its peak
-value. You can work out the time (the number of smoothing periods) that a
-client is subjected to counter-measures after an over-limit burst with this
-formula:
-.code
-        ln(peakrate/maxrate)
-.endd
 The &%leaky%& (default) option means that the client's recorded rate is not
 updated if it is above the limit. The effect of this is that Exim measures the
 client's average rate of successfully sent email, which cannot be greater than
@@ -27296,6 +27345,59 @@ the maximum allowed. If the client is over the limit it may suffer some
 counter-measures (as specified in the ACL), but it will still be able to send
 email at the configured maximum rate, whatever the rate of its attempts. This
 is generally the better choice if you have clients that retry automatically.
+For example, it does not prevent a sender with an over-aggressive retry rate
+from getting any email through.
+
+The &%strict%& option means that the client's recorded rate is always
+updated. The effect of this is that Exim measures the client's average rate
+of attempts to send email, which can be much higher than the maximum it is
+actually allowed. If the client is over the limit it may be subjected to
+counter-measures by the ACL. It must slow down and allow sufficient time to
+pass that its computed rate falls below the maximum before it can send email
+again. The time (the number of smoothing periods) it must wait and not
+attempt to send mail can be calculated with this formula:
+.code
+        ln(peakrate/maxrate)
+.endd
+
+
+.section "Limiting the rate of different events" "ratoptuniq"
+.cindex "rate limiting" "counting unique events"
+The &%ratelimit%& &%unique=%& option controls a mechanism for counting the
+rate of different events. For example, the &%per_addr%& option uses this
+mechanism to count the number of different recipients that the client has
+sent messages to in the last time period; it is equivalent to
+&`per_rcpt/unique=$local_part@$domain`&. You could use this feature to
+measure the rate that a client uses different sender addresses with the
+options &`per_mail/unique=$sender_address`&.
+
+For each &%ratelimit%& key Exim stores the set of &%unique=%& values that it
+has seen for that key. The whole set is thrown away when it is older than the
+rate smoothing period &'p'&, so each different event is counted at most once
+per period. In the &%leaky%& update mode, an event that causes the client to
+go over the limit is not added to the set, in the same way that the client's
+recorded rate is not updated in the same situation.
+
+When you combine the &%unique=%& and &%readonly%& options, the specific
+%&unique=%& value is ignored, and Exim just retrieves the client's stored
+rate.
+
+The &%unique=%& mechanism needs more space in the ratelimit database than the
+other &%ratelimit%& options in order to store the event set. The number of
+unique values is potentially as large as the rate limit, so the extra space
+required increases with larger limits.
+
+The uniqueification is not perfect: there is a small probability that Exim
+will think a new event has happened before. If the sender's rate is less than
+the limit, Exim should be more than 99.9% correct. However in &%strict%& mode
+the measured rate can go above the limit, in which case Exim may under-count
+events by a significant margin. Fortunately, if the rate is high enough (2.7
+times the limit) that the false positive rate goes above 9%, then Exim will
+throw away the over-full event set before the measured rate falls below the
+limit. Therefore the only harm should be that exceptionally high sending rates
+are logged incorrectly; any countermeasures you configure will be as effective
+as intended.
+


.section "Using rate limiting" "useratlim"
Exim's other ACL facilities are used to define what counter-measures are taken
@@ -27339,36 +27441,6 @@ this means that Exim will lose its hints data after a reboot (including retry
hints, the callout cache, and ratelimit data).


-.section "Reading ratelimit data without updating" "rearatdat"
-.cindex "rate limitint" "reading data without updating"
-If the &%noupdate%& option is present on a &%ratelimit%& ACL condition, Exim
-computes the rate and checks the limit as normal, but it does not update the
-saved data. This means that, in relevant ACLs, it is possible to lookup the
-existence of a specified (or auto-generated) ratelimit key without incrementing
-the ratelimit counter for that key. In order for this to be useful, another ACL
-entry must set the rate for the same key (otherwise it will always be zero).
-For example:
-.code
-acl_check_connect:
-  deny ratelimit = 100 / 5m / strict / per_cmd / noupdate
-       log_message = RATE: $sender_rate/$sender_rate_period \
-                     (max $sender_rate_limit)
-.endd
-.display
-&'... some other logic and tests...'&
-.endd
-.code
-acl_check_mail:
-  warn ratelimit = 100 / 5m / strict / per_cmd
-       condition = ${if le{$sender_rate}{$sender_rate_limit}}
-       logwrite  = RATE UPDATE: $sender_rate/$sender_rate_period \
-                     (max $sender_rate_limit)
-.endd
-In this example, the rate is tested and used to deny access (when it is too
-high) in the connect ACL, but the actual computation of the remembered rate
-happens later, on a per-command basis, in another ACL.
-
-


 .section "Address verification" "SECTaddressverification"
 .cindex "verifying address" "options for"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3af14c3..60ff604 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -32,6 +32,57 @@ TF/03 Make the exiwhat support code safe for signals. Previously Exim might
       Removing the spurious timestamps from the process log simplifies
       exiwhat.


+TF/04 Improved ratelimit ACL condition.
+
+      The /noupdate option has been deprecated in favour of /readonly which
+      has clearer semantics. The /leaky, /strict, and /readonly update modes
+      are mutually exclusive. The update mode is no longer included in the
+      database key; it just determines when the database is updated. (This
+      means that when you upgrde Exim will forget old rate measurements.)
+
+      Exim now checks that the per_* options are used with an update mode that
+      makes sense for the current ACL. For example, when Exim is processing a
+      message (e.g. acl_smtp_rcpt or acl_smtp_data, etc.) you can specify
+      per_mail/leaky or per_mail/strict; otherwise (e.g. in acl_smtp_helo) you
+      must specify per_mail/readonly. If you omit the update mode it defaults to
+      /leaky where that makes sense (as before) or /readonly where required.
+
+      The /noupdate option is now undocumented but still supported for
+      backwards compatibility. It is equivalent to /readonly except that in
+      ACLs where /readonly is required you may specify /leaky/noupdate or
+      /strict/noupdate which are treated the same as /readonly.
+
+      A useful new feature is the /count= option. This is a generalization
+      of the per_byte option, so that you can measure the throughput of other
+      aggregate values. For example, the per_byte option is now equivalent
+      to per_mail/count=${if >{0}{$message_size} {0} {$message_size} }.
+
+      The per_rcpt option has been generalized using the /count= mechanism
+      (though it's more complicated than the per_byte equivalence). When it is
+      used in acl_smtp_rcpt, the per_rcpt option adds recipients to the
+      measured rate one at a time; if it is used later (e.g. in acl_smtp_data)
+      or in a non-SMTP ACL it adds all the recipients in one go. (The latter
+      /count=$recipients_count behaviour used to work only in non-SMTP ACLs.)
+      Note that using per_rcpt with a non-readonly update mode in more than
+      one ACL will cause the recipients to be double-counted. (The per_mail
+      and per_byte options don't have this problem.)
+
+      The handling of very low rates has changed slightly. If the computed rate
+      is less than the event's count (usually one) then this event is the first
+      after a long gap. In this case the rate is set to the same as this event's
+      count, so that the first message of a spam run is counted properly.
+
+      The major new feature is a mechanism for counting the rate of unique
+      events. The new per_addr option counts the number of different
+      recipients that someone has sent messages to in the last time period. It
+      behaves like per_rcpt if all the recipient addresses are different, but
+      duplicate recipient addresses do not increase the measured rate. Like
+      the /count= option this is a general mechanism, so the per_addr option
+      is equivalent to per_rcpt/unique=$local_part@$domain. You can, for
+      example, measure the rate that a client uses different sender addresses
+      with the options per_mail/unique=$sender_address. There are further
+      details in the main documentation.
+


Exim version 4.76
-----------------
diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base
index 29a6ad3..474ab8a 100644
--- a/src/OS/Makefile-Base
+++ b/src/OS/Makefile-Base
@@ -361,10 +361,10 @@ exim_dumpdb: $(OBJ_DUMPDB)

OBJ_FIXDB = exim_fixdb.o util-os.o util-store.o

-exim_fixdb:  $(OBJ_FIXDB)
+exim_fixdb:  $(OBJ_FIXDB) auths/auths.a
     @echo "$(LNCC) -o exim_fixdb"
     $(FE)$(LNCC) $(CFLAGS) $(INCLUDE) -o exim_fixdb $(LFLAGS) $(OBJ_FIXDB) \
-      $(LIBS) $(EXTRALIBS) $(DBMLIB)
+      auths/auths.a $(LIBS) $(EXTRALIBS) $(DBMLIB)
     @if [ x"$(STRIP_COMMAND)" != x"" ]; then \
       echo $(STRIP_COMMAND) exim_fixdb; \
       $(STRIP_COMMAND) exim_fixdb; \
diff --git a/src/src/acl.c b/src/src/acl.c
index 4ad2b01..68b45d8 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -664,6 +664,25 @@ static uschar *csa_reason_string[] = {
   US"failed (client address mismatch)"
 };


+/* Options for the ratelimit condition. Note that there are two variants of
+the per_rcpt option, depending on the ACL that is used to measure the rate.
+However any ACL must be able to look up per_rcpt rates in /noupdate mode,
+so the two variants must have the same internal representation as well as
+the same configuration string. */
+
+enum {
+ RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
+ RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
+};
+
+#define RATE_SET(var,new) \
+ (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
+
+static uschar *ratelimit_option_string[] = {
+ US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
+ US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
+};
+
/* Enable recursion between acl_check_internal() and acl_check_condition() */

static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
@@ -2078,6 +2097,41 @@ return d->value;



+
+/*************************************************
+*        Return a ratelimit error                *
+*************************************************/
+
+/* Called from acl_ratelimit() below
+
+Arguments:
+  log_msgptr  for error messages
+  format      format string
+  ...         supplementary arguments
+  ss          ratelimit option name
+  where       ACL_WHERE_xxxx indicating which ACL this is
+
+Returns:      ERROR
+*/
+
+static int
+ratelimit_error(uschar **log_msgptr, const char *format, ...)
+{
+va_list ap;
+uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
+va_start(ap, format);
+if (!string_vformat(buffer, sizeof(buffer), format, ap))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "string_sprintf expansion was longer than %d", sizeof(buffer));
+va_end(ap);
+*log_msgptr = string_sprintf(
+  "error in arguments to \"ratelimit\" condition: %s", buffer);
+return ERROR;
+}
+
+
+
+
 /*************************************************
 *            Handle rate limiting                *
 *************************************************/
@@ -2104,23 +2158,27 @@ Returns:       OK        - Sender's rate is above limit
 static int
 acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
 {
-double limit, period;
+double limit, period, count;
 uschar *ss;
 uschar *key = NULL;
+uschar *unique = NULL;
 int sep = '/';
-BOOL leaky = FALSE, strict = FALSE, noupdate = FALSE;
-BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
+BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
+BOOL noupdate = FALSE, badacl = FALSE;
+int mode = RATE_PER_WHAT;
 int old_pool, rc;
 tree_node **anchor, *t;
 open_db dbblock, *dbm;
+int dbdb_size;
 dbdata_ratelimit *dbd;
+dbdata_ratelimit_unique *dbdb;
 struct timeval tv;


/* Parse the first two options and record their values in expansion
variables. These variables allow the configuration to have informative
error messages based on rate limits obtained from a table lookup. */

-/* First is the maximum number of messages per period and maximum burst
+/* First is the maximum number of messages per period / maximum burst
size, which must be greater than or equal to zero. Zero is useful for
rate measurement as opposed to rate limiting. */

@@ -2134,15 +2192,11 @@ else
   else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
   else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
   }
-if (limit < 0.0 || *ss != 0)
-  {
-  *log_msgptr = string_sprintf("syntax error in argument for "
-    "\"ratelimit\" condition: \"%s\" is not a positive number",
-    sender_rate_limit);
-  return ERROR;
-  }
+if (limit < 0.0 || *ss != '\0')
+  return ratelimit_error(log_msgptr,
+    "\"%s\" is not a positive number", sender_rate_limit);


-/* Second is the rate measurement period and exponential smoothing time
+/* Second is the rate measurement period / exponential smoothing time
constant. This must be strictly greater than zero, because zero leads to
run-time division errors. */

@@ -2150,15 +2204,15 @@ sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
 if (sender_rate_period == NULL) period = -1.0;
 else period = readconf_readtime(sender_rate_period, 0, FALSE);
 if (period <= 0.0)
-  {
-  *log_msgptr = string_sprintf("syntax error in argument for "
-    "\"ratelimit\" condition: \"%s\" is not a time value",
-    sender_rate_period);
-  return ERROR;
-  }
+  return ratelimit_error(log_msgptr,
+    "\"%s\" is not a time value", sender_rate_period);
+
+/* By default we are counting one of something, but the per_rcpt,
+per_byte, and count options can change this. */
+
+count = 1.0;


-/* Parse the other options. Should we check if the per_* options are being
-used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
+/* Parse the other options. */

 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
        != NULL)
@@ -2166,24 +2220,84 @@ while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
   if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
   else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
   else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
-  else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
-  else if (strcmpic(ss, US"per_cmd") == 0)  per_cmd = TRUE;
-  else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
-  else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
-  else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
-  else key = string_sprintf("%s", ss);
-  }
-
-if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
-  {
-  *log_msgptr = US"conflicting options for \"ratelimit\" condition";
-  return ERROR;
+  else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
+  else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
+  else if (strcmpic(ss, US"per_conn") == 0)
+    {
+    RATE_SET(mode, PER_CONN);
+    if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
+      badacl = TRUE;
+    }
+  else if (strcmpic(ss, US"per_mail") == 0)
+    {
+    RATE_SET(mode, PER_MAIL);
+    if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
+    }
+  else if (strcmpic(ss, US"per_rcpt") == 0)
+    {
+    /* If we are running in the RCPT ACL, then we'll count the recipients
+    one by one, but if we are running when we have accumulated the whole
+    list then we'll add them all in one batch. */
+    if (where == ACL_WHERE_RCPT)
+      RATE_SET(mode, PER_RCPT);
+    else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
+      RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
+    else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
+      RATE_SET(mode, PER_RCPT), badacl = TRUE;
+    }
+  else if (strcmpic(ss, US"per_byte") == 0)
+    {
+    /* If we have not yet received the message data and there was no SIZE
+    declaration on the MAIL comand, then it's safe to just use a value of
+    zero and let the recorded rate decay as if nothing happened. */
+    RATE_SET(mode, PER_MAIL);
+    if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
+      else count = message_size < 0 ? 0.0 : (double)message_size;
+    }
+  else if (strcmpic(ss, US"per_addr") == 0)
+    {
+    RATE_SET(mode, PER_RCPT);
+    if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = "*";
+      else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
+    }
+  else if (strncmpic(ss, US"count=", 6) == 0)
+    {
+    uschar *e;
+    count = Ustrtod(ss+6, &e);
+    if (count < 0.0 || *e != '\0')
+      return ratelimit_error(log_msgptr,
+    "\"%s\" is not a positive number", ss);
+    }
+  else if (strncmpic(ss, US"unique=", 7) == 0)
+    unique = string_copy(ss + 7);
+  else if (key == NULL)
+    key = string_copy(ss);
+  else
+    key = string_sprintf("%s/%s", key, ss);
   }


-/* Default option values */
-
-if (!strict) leaky = TRUE;
-if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
+/* Sanity check. When the badacl flag is set the update mode must either
+be readonly (which is the default if it is omitted) or, for backwards
+compatibility, a combination of noupdate and strict or leaky. */
+
+if (mode == RATE_PER_CLASH)
+  return ratelimit_error(log_msgptr, "conflicting per_* options");
+if (leaky + strict + readonly > 1)
+  return ratelimit_error(log_msgptr, "conflicting update modes");
+if (badacl && (leaky || strict) && !noupdate)
+  return ratelimit_error(log_msgptr,
+    "\"%s\" must not have /leaky or /strict option in %s ACL",
+    ratelimit_option_string[mode], acl_wherenames[where]);
+
+/* Set the default values of any unset options. In readonly mode we
+perform the rate computation without any increment so that its value
+decays to eventually allow over-limit senders through. */
+
+if (noupdate) readonly = TRUE, leaky = strict = FALSE;
+if (badacl) readonly = TRUE;
+if (readonly) count = 0.0;
+if (!strict && !readonly) leaky = TRUE;
+if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;


/* Create the lookup key. If there is no explicit key, use sender_host_address.
If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
@@ -2193,35 +2307,48 @@ are added to the key because they alter the meaning of the stored data. */
if (key == NULL)
key = (sender_host_address == NULL)? US"" : sender_host_address;

-key = string_sprintf("%s/%s/%s/%s",
+key = string_sprintf("%s/%s/%s%s",
sender_rate_period,
- per_byte? US"per_byte" :
- per_cmd? US"per_cmd" :
- per_mail? US"per_mail" : US"per_conn",
- strict? US"strict" : US"leaky",
+ ratelimit_option_string[mode],
+ unique == NULL ? "" : "unique/",
key);

-HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
- limit, period, key);
+HDEBUG(D_acl)
+ debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);

/* See if we have already computed the rate by looking in the relevant tree.
For per-connection rate limiting, store tree nodes and dbdata in the permanent
-pool so that they survive across resets. */
+pool so that they survive across resets. In readonly mode we only remember the
+result for the rest of this command in case a later command changes it. After
+this bit of logic the code is independent of the per_* mode. */

-anchor = NULL;
old_pool = store_pool;

-if (per_conn)
-  {
+if (readonly)
+  anchor = &ratelimiters_cmd;
+else switch(mode) {
+case RATE_PER_CONN:
   anchor = &ratelimiters_conn;
   store_pool = POOL_PERM;
-  }
-else if (per_mail || per_byte)
+  break;
+case RATE_PER_BYTE:
+case RATE_PER_MAIL:
+case RATE_PER_ALLRCPTS:
   anchor = &ratelimiters_mail;
-else if (per_cmd)
+  break;
+case RATE_PER_ADDR:
+case RATE_PER_CMD:
+case RATE_PER_RCPT:
   anchor = &ratelimiters_cmd;
+  break;
+default:
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+    "internal ACL error: unknown ratelimit mode %d", mode);
+  break;
+}


-if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
+t = tree_search(*anchor, key);
+if (t != NULL)
{
dbd = t->data.ptr;
/* The following few lines duplicate some of the code below. */
@@ -2233,9 +2360,8 @@ if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
return rc;
}

-/* We aren't using a pre-computed rate, so get a previously recorded
-rate from the database, update it, and write it back when required. If there's
-no previous rate for this key, create one. */
+/* We aren't using a pre-computed rate, so get a previously recorded rate
+from the database, which will be updated and written back if required. */

dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
if (dbm == NULL)
@@ -2246,17 +2372,172 @@ if (dbm == NULL)
*log_msgptr = US"ratelimit database not available";
return DEFER;
}
-dbd = dbfn_read(dbm, key);
+dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
+dbd = NULL;

gettimeofday(&tv, NULL);

+if (dbdb != NULL)
+  {
+  /* Locate the basic ratelimit block inside the DB data. */
+  HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
+  dbd = &dbdb->dbd;
+
+  /* Forget the old Bloom filter if it is too old, so that we count each
+  repeating event once per period. We don't simply clear and re-use the old
+  filter because we want its size to change if the limit changes. Note that
+  we keep the dbd pointer for copying the rate into the new data block. */
+
+  if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
+    {
+    HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
+    dbdb = NULL;
+    }
+
+  /* Sanity check. */
+
+  if(unique != NULL && dbdb_size < sizeof(*dbdb))
+    {
+    HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
+    dbdb = NULL;
+    }
+  }
+
+/* Allocate a new data block if the database lookup failed
+or the Bloom filter passed its age limit. */
+
+if (dbdb == NULL)
+  {
+  if (unique == NULL)
+    {
+    /* No Bloom filter. This basic ratelimit block is initialized below. */
+    HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
+    dbdb_size = sizeof(*dbd);
+    dbdb = store_get(dbdb_size);
+    }
+  else
+    {
+    int extra;
+    HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
+
+    /* See the long comment below for an explanation of the magic number 2.
+    The filter has a minimum size in case the rate limit is very small;
+    this is determined by the definition of dbdata_ratelimit_unique. */
+
+    extra = (int)limit * 2 - sizeof(dbdb->bloom);
+    if (extra < 0) extra = 0;
+    dbdb_size = sizeof(*dbdb) + extra;
+    dbdb = store_get(dbdb_size);
+    dbdb->bloom_epoch = tv.tv_sec;
+    dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
+    memset(dbdb->bloom, 0, dbdb->bloom_size);
+
+    /* Preserve any basic ratelimit data (which is our longer-term memory)
+    by copying it from the discarded block. */
+
+    if (dbd != NULL)
+      {
+      dbdb->dbd = *dbd;
+      dbd = &dbdb->dbd;
+      }
+    }
+  }
+
+/* If we are counting unique events, find out if this event is new or not.
+If the client repeats the event during the current period then it should be
+counted. We skip this code in readonly mode for efficiency, because any
+changes to the filter will be discarded and because count is already set to
+zero. */
+
+if (unique != NULL && !readonly)
+  {
+  /* We identify unique events using a Bloom filter. (You can find my
+  notes on Bloom filters at http://fanf.livejournal.com/81696.html)
+  With the per_addr option, an "event" is a recipient address, though the
+  user can use the unique option to define their own events. We only count
+  an event if we have not seen it before.
+
+  We size the filter according to the rate limit, which (in leaky mode)
+  is the limit on the population of the filter. We allow 16 bits of space
+  per entry (see the construction code above) and we set (up to) 8 of them
+  when inserting an element (see the loop below). The probability of a false
+  positive (an event we have not seen before but which we fail to count) is
+
+    size    = limit * 16
+    numhash = 8
+    allzero = exp(-numhash * pop / size)
+            = exp(-0.5 * pop / limit)
+    fpr     = pow(1 - allzero, numhash)
+
+  For senders at the limit the fpr is      0.06%    or  1 in 1700
+  and for senders at half the limit it is  0.0006%  or  1 in 170000
+
+  In strict mode the Bloom filter can fill up beyond the normal limit, in
+  which case the false positive rate will rise. This means that the
+  measured rate for very fast senders can bogusly drop off after a while.
+
+  At twice the limit, the fpr is  2.5%  or  1 in 40
+  At four times the limit, it is  31%   or  1 in 3.2
+
+  It takes ln(pop/limit) periods for an over-limit burst of pop events to
+  decay below the limit, and if this is more than one then the Bloom filter
+  will be discarded before the decay gets that far. The false positive rate
+  at this threshold is 9.3% or 1 in 10.7. */
+
+  BOOL seen;
+  unsigned n, hash, hinc;
+  uschar md5sum[16];
+  md5 md5info;
+
+  /* Instead of using eight independent hash values, we combine two values
+  using the formula h1 + n * h2. This does not harm the Bloom filter's
+  performance, and means the amount of hash we need is independent of the
+  number of bits we set in the filter. */
+
+  md5_start(&md5info);
+  md5_end(&md5info, unique, Ustrlen(unique), md5sum);
+  hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
+  hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
+
+  /* Scan the bits corresponding to this event. A zero bit means we have
+  not seen it before. Ensure all bits are set to record this event. */
+
+  HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
+
+  seen = TRUE;
+  for (n = 0; n < 8; n++, hash += hinc)
+    {
+    int bit = 1 << (hash % 8);
+    int byte = (hash / 8) % dbdb->bloom_size;
+    if ((dbdb->bloom[byte] & bit) == 0)
+      {
+      dbdb->bloom[byte] |= bit;
+      seen = FALSE;
+      }
+    }
+
+  /* If this event has occurred before, do not count it. */
+
+  if (seen)
+    {
+    HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
+    count = 0.0;
+    }
+  else
+    HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
+  }
+
+/* If there was no previous ratelimit data block for this key, initialize
+the new one, otherwise update the block from the database. The initial rate
+is what would be computed by the code below for an infinite interval. */
+
 if (dbd == NULL)
   {
-  HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
-  dbd = store_get(sizeof(dbdata_ratelimit));
+  HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
+  dbd = &dbdb->dbd;
   dbd->time_stamp = tv.tv_sec;
   dbd->time_usec = tv.tv_usec;
-  dbd->rate = 0.0;
+  dbd->rate = count;
   }
 else
   {
@@ -2317,59 +2598,58 @@ else
   double i_over_p = interval / period;
   double a = exp(-i_over_p);


+  /* Combine the instantaneous rate (period / interval) with the previous rate
+  using the smoothing factor a. In order to measure sized events, multiply the
+  instantaneous rate by the count of bytes or recipients etc. */
+
   dbd->time_stamp = tv.tv_sec;
   dbd->time_usec = tv.tv_usec;
-
-  /* If we are measuring the rate in bytes per period, multiply the
-  measured rate by the message size. If we don't know the message size
-  then it's safe to just use a value of zero and let the recorded rate
-  decay as if nothing happened. */
-
-  if (per_byte)
-    dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
-              * (1 - a) / i_over_p + a * dbd->rate;
-  else if (per_cmd && where == ACL_WHERE_NOTSMTP)
-    dbd->rate = (double)recipients_count
-              * (1 - a) / i_over_p + a * dbd->rate;
-  else
-    dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
+  dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
+
+  /* When events are very widely spaced the computed rate tends towards zero.
+  Although this is accurate it turns out not to be useful for our purposes,
+  especially when the first event after a long silence is the start of a spam
+  run. A more useful model is that the rate for an isolated event should be the
+  size of the event per the period size, ignoring the lack of events outside
+  the current period and regardless of where the event falls in the period. So,
+  if the interval was so long that the calculated rate is unhelpfully small, we
+  re-intialize the rate. In the absence of higher-rate bursts, the condition
+  below is true if the interval is greater than the period. */
+
+  if (dbd->rate < count) dbd->rate = count;
   }


-/* Clients sending at the limit are considered to be over the limit. This
-matters for edge cases such the first message sent by a client (which gets
-the initial rate of 0.0) when the rate limit is zero (i.e. the client should
-be completely blocked). */
+/* Clients sending at the limit are considered to be over the limit.
+This matters for edge cases such as a limit of zero, when the client
+should be completely blocked. */

rc = (dbd->rate < limit)? FAIL : OK;

/* Update the state if the rate is low or if we are being strict. If we
are in leaky mode and the sender's rate is too high, we do not update
the recorded rate in order to avoid an over-aggressive sender's retry
-rate preventing them from getting any email through. If noupdate is set,
-do not do any updates. */
+rate preventing them from getting any email through. If readonly is set,
+neither leaky nor strict are set, so we do not do any updates. */

-if ((rc == FAIL || !leaky) && !noupdate)
+if ((rc == FAIL && leaky) || strict)
   {
-  dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
+  dbfn_write(dbm, key, dbdb, dbdb_size);
   HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
   }
 else
   {
   HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
-    noupdate? "noupdate set" : "over the limit, but leaky");
+    readonly? "readonly mode" : "over the limit, but leaky");
   }


dbfn_close(dbm);

-/* Store the result in the tree for future reference, if necessary. */
+/* Store the result in the tree for future reference. */

-if (anchor != NULL && !noupdate)
- {
- t = store_get(sizeof(tree_node) + Ustrlen(key));
- t->data.ptr = dbd;
- Ustrcpy(t->name, key);
- (void)tree_insertnode(anchor, t);
- }
+t = store_get(sizeof(tree_node) + Ustrlen(key));
+t->data.ptr = dbd;
+Ustrcpy(t->name, key);
+(void)tree_insertnode(anchor, t);

 /* We create the formatted version of the sender's rate very late in
 order to ensure that it is done using the correct storage pool. */
diff --git a/src/src/dbstuff.h b/src/src/dbstuff.h
index 94c9b97..819e466 100644
--- a/src/src/dbstuff.h
+++ b/src/src/dbstuff.h
@@ -654,5 +654,14 @@ typedef struct {
   double rate;            /* Smoothed sending rate at that time */
 } dbdata_ratelimit;


+/* Same as above, plus a Bloom filter for uniquifying events. */
+
+typedef struct {
+  dbdata_ratelimit dbd;
+  time_t   bloom_epoch;   /* When the Bloom filter was last reset */
+  unsigned bloom_size;    /* Number of bytes in the Bloom filter */
+  uschar   bloom[40];     /* Bloom filter which may be larger than this */
+} dbdata_ratelimit_unique;
+


/* End of dbstuff.h */
diff --git a/src/src/exim_dbutil.c b/src/src/exim_dbutil.c
index 1e94f33..cf66717 100644
--- a/src/src/exim_dbutil.c
+++ b/src/src/exim_dbutil.c
@@ -27,38 +27,7 @@ There are a number of common subroutines, followed by three main programs,
whose inclusion is controlled by -D on the compilation command. */


-/* Standard C headers and Unix headers */
-
-#include <ctype.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <sys/stat.h>
-
-
-/* These are two values from macros.h which should perhaps be accessible in
-some better way than just repeating them here. */
-
-#define WAIT_NAME_MAX            50
-#define MESSAGE_ID_LENGTH        16
-
-
-/* This selection of Exim headers contains exactly what we need, and hopefully
-not too much extra baggage. */
-
-#include "config.h"              /* Needed to get the DB type */
-#include "mytypes.h"
-#include "macros.h"
-#include "dbstuff.h"
-#include "osfunctions.h"
-#include "store.h"
+#include "exim.h"



/* Identifiers for the different database types. */
@@ -70,6 +39,10 @@ not too much extra baggage. */
#define type_ratelimit 5


+/* This is used by our cut-down dbfn_open(). */
+
+uschar *spool_directory;
+


 /*************************************************
@@ -101,7 +74,7 @@ printf("Berkeley DB error: %s\n", msg);
 *              SIGALRM handler                   *
 *************************************************/


-static int sigalrm_seen;
+SIGNAL_BOOL sigalrm_seen;

 void
 sigalrm_handler(int sig)
@@ -169,7 +142,7 @@ Returns:    nothing
 */


void
-log_write(unsigned int selector, int flags, char *format, ...)
+log_write(unsigned int selector, int flags, const char *format, ...)
{
va_list ap;
va_start(ap, format);
@@ -266,18 +239,18 @@ uses. We assume the database exists, and therefore give up if we cannot open
the lock file.

 Arguments:
-  spool    The spool directory
   name     The single-component name of one of Exim's database files.
   flags    O_RDONLY or O_RDWR
   dbblock  Points to an open_db block to be filled in.
+  lof      Unused.


 Returns:   NULL if the open failed, or the locking failed.
            On success, dbblock is returned. This contains the dbm pointer and
            the fd of the locked lock file.
 */


-static open_db *
-dbfn_open(uschar *spool, uschar *name, int flags, open_db *dbblock)
+open_db *
+dbfn_open(uschar *name, int flags, open_db *dbblock, BOOL lof)
{
int rc;
struct flock lock_data;
@@ -288,7 +261,7 @@ uschar buffer[256];
ensures that Exim has exclusive use of the database before it even tries to
open it. If there is a database, there should be a lock file in existence. */

-sprintf(CS buffer, "%s/db/%s.lockfile", spool, name);
+sprintf(CS buffer, "%s/db/%s.lockfile", spool_directory, name);

dbblock->lockfd = Uopen(buffer, flags, 0);
if (dbblock->lockfd < 0)
@@ -323,7 +296,7 @@ if (rc < 0)
/* At this point we have an opened and locked separate lock file, that is,
exclusive access to the database, so we can go ahead and open it. */

-sprintf(CS buffer, "%s/db/%s", spool, name);
+sprintf(CS buffer, "%s/db/%s", spool_directory, name);
EXIM_DBOPEN(buffer, flags, 0, &(dbblock->dbptr));

if (dbblock->dbptr == NULL)
@@ -357,7 +330,7 @@ Argument: a pointer to an open database block
Returns: nothing
*/

-static void
+void
 dbfn_close(open_db *dbblock)
 {
 EXIM_DBCLOSE(dbblock->dbptr);
@@ -384,7 +357,7 @@ Returns: a pointer to the retrieved record, or
          NULL if the record is not found
 */


-static void *
+void *
 dbfn_read_with_length(open_db *dbblock, uschar *key, int *length)
 {
 void *yield;
@@ -424,7 +397,7 @@ Returns:    the yield of the underlying dbm or db "write" function. If this
             is dbm, the value is zero for OK.
 */


-static int
+int
dbfn_write(open_db *dbblock, uschar *key, void *ptr, int length)
{
EXIM_DATUM key_datum, value_datum;
@@ -454,7 +427,7 @@ Arguments:
Returns: the yield of the underlying dbm or db "delete" function.
*/

-static int
+int
 dbfn_delete(open_db *dbblock, uschar *key)
 {
 EXIM_DATUM key_datum;
@@ -485,7 +458,7 @@ Returns:   the next record from the file, or
            NULL if there are no more
 */


-static uschar *
+uschar *
dbfn_scan(open_db *dbblock, BOOL start, EXIM_CURSOR **cursor)
{
EXIM_DATUM key_datum, value_datum;
@@ -531,7 +504,8 @@ uschar keybuffer[1024];
/* Check the arguments, and open the database */

dbdata_type = check_args(argc, argv, US"dumpdb", US"");
-dbm = dbfn_open(argv[1], argv[2], O_RDONLY, &dbblock);
+spool_directory = argv[1];
+dbm = dbfn_open(argv[2], O_RDONLY, &dbblock, FALSE);
if (dbm == NULL) exit(1);

 /* Scan the file, formatting the information for each entry. Note
@@ -545,6 +519,7 @@ while (key != NULL)
   dbdata_wait *wait;
   dbdata_callout_cache *callout;
   dbdata_ratelimit *ratelimit;
+  dbdata_ratelimit_unique *rate_unique;
   int count_bad = 0;
   int i, length;
   uschar *t;
@@ -673,12 +648,24 @@ while (key != NULL)
       break;


       case type_ratelimit:
-      ratelimit = (dbdata_ratelimit *)value;
-
-      printf("%s.%06d rate: %10.3f key: %s\n",
-        print_time(ratelimit->time_stamp), ratelimit->time_usec,
-        ratelimit->rate, keybuffer);
-
+      if (Ustrstr(key, "/unique/") != NULL && length >= sizeof(*rate_unique))
+        {
+        ratelimit = (dbdata_ratelimit *)value;
+        rate_unique = (dbdata_ratelimit_unique *)value;
+        printf("%s.%06d rate: %10.3f epoch: %s size: %u key: %s\n",
+          print_time(ratelimit->time_stamp),
+          ratelimit->time_usec, ratelimit->rate,
+          print_time(rate_unique->bloom_epoch), rate_unique->bloom_size,
+          keybuffer);
+        }
+      else
+        {
+        ratelimit = (dbdata_ratelimit *)value;
+        printf("%s.%06d rate: %10.3f key: %s\n",
+          print_time(ratelimit->time_stamp),
+          ratelimit->time_usec, ratelimit->rate,
+          keybuffer);
+        }
       break;
       }
     store_reset(value);
@@ -752,6 +739,7 @@ for(;;)
   dbdata_wait *wait;
   dbdata_callout_cache *callout;
   dbdata_ratelimit *ratelimit;
+  dbdata_ratelimit_unique *rate_unique;
   int i, oldlength;
   uschar *t;
   uschar field[256], value[256];
@@ -788,7 +776,8 @@ for(;;)
   if (field[0] != 0)
     {
     int verify = 1;
-    dbm = dbfn_open(argv[1], argv[2], O_RDWR, &dbblock);
+    spool_directory = argv[1];
+    dbm = dbfn_open(argv[2], O_RDWR, &dbblock, FALSE);
     if (dbm == NULL) continue;


     if (Ustrcmp(field, "d") == 0)
@@ -895,7 +884,6 @@ for(;;)


             case type_ratelimit:
             ratelimit = (dbdata_ratelimit *)record;
-            length = sizeof(dbdata_ratelimit);
             switch(fieldno)
               {
               case 0:
@@ -911,6 +899,51 @@ for(;;)
               ratelimit->rate = Ustrtod(value, NULL);
               break;


+              case 3:
+              if (Ustrstr(name, "/unique/") != NULL
+                && oldlength >= sizeof(dbdata_ratelimit_unique))
+                {
+                rate_unique = (dbdata_ratelimit_unique *)record;
+                if ((tt = read_time(value)) > 0) rate_unique->bloom_epoch = tt;
+                  else printf("bad time value\n");
+                break;
+                }
+              /* else fall through */
+
+              case 4:
+              case 5:
+              if (Ustrstr(name, "/unique/") != NULL
+                && oldlength >= sizeof(dbdata_ratelimit_unique))
+                {
+                /* see acl.c */
+                BOOL seen;
+                unsigned n, hash, hinc;
+                uschar md5sum[16];
+                md5 md5info;
+                md5_start(&md5info);
+                md5_end(&md5info, value, Ustrlen(value), md5sum);
+                hash = md5sum[0] <<  0 | md5sum[1] <<  8
+                     | md5sum[2] << 16 | md5sum[3] << 24;
+                hinc = md5sum[4] <<  0 | md5sum[5] <<  8
+                     | md5sum[6] << 16 | md5sum[7] << 24;
+                rate_unique = (dbdata_ratelimit_unique *)record;
+                seen = TRUE;
+                for (n = 0; n < 8; n++, hash += hinc)
+                  {
+                  int bit = 1 << (hash % 8);
+                  int byte = (hash / 8) % rate_unique->bloom_size;
+                  if ((rate_unique->bloom[byte] & bit) == 0)
+                    {
+                    seen = FALSE;
+                    if (fieldno == 5) rate_unique->bloom[byte] |= bit;
+                    }
+                  }
+                printf("%s %s\n",
+                  seen ? "seen" : fieldno == 5 ? "added" : "unseen", value);
+                break;
+                }
+              /* else fall through */
+
               default:
               printf("unknown field number\n");
               verify = 0;
@@ -919,7 +952,7 @@ for(;;)
             break;
             }


-          dbfn_write(dbm, name, record, length);
+          dbfn_write(dbm, name, record, oldlength);
           }
         }
       }
@@ -940,7 +973,8 @@ for(;;)


/* Handle a read request, or verify after an update. */

- dbm = dbfn_open(argv[1], argv[2], O_RDONLY, &dbblock);
+ spool_directory = argv[1];
+ dbm = dbfn_open(argv[2], O_RDONLY, &dbblock, FALSE);
if (dbm == NULL) continue;

   record = dbfn_read_with_length(dbm, name, &oldlength);
@@ -1020,6 +1054,14 @@ for(;;)
       printf("0 time stamp:  %s\n", print_time(ratelimit->time_stamp));
       printf("1 fract. time: .%06d\n", ratelimit->time_usec);
       printf("2 sender rate: % .3f\n", ratelimit->rate);
+      if (Ustrstr(name, "/unique/") != NULL
+       && oldlength >= sizeof(dbdata_ratelimit_unique))
+       {
+       rate_unique = (dbdata_ratelimit_unique *)record;
+       printf("3 filter epoch: %s\n", print_time(rate_unique->bloom_epoch));
+       printf("4 test filter membership\n");
+       printf("5 add element to filter\n");
+       }
       break;
       }
     }
@@ -1118,7 +1160,8 @@ database */
 oldest = time(NULL) - maxkeep;
 printf("Tidying Exim hints database %s/db/%s\n", argv[1], argv[2]);


-dbm = dbfn_open(argv[1], argv[2], O_RDWR, &dbblock);
+spool_directory = argv[1];
+dbm = dbfn_open(argv[2], O_RDWR, &dbblock, FALSE);
if (dbm == NULL) exit(1);

/* Prepare for building file names */