I have a set of ACL's in place to ban connections from IP's after a
number of retries. The first one checks if connections from an IP
address have already been rejected 5 times or more in 24 hours and drops
them, while the second one just adds to the count (up to 10 max) every
time we reject a connection:
acl_check_connect:
drop message = Temporary ban - too many retries
ratelimit = 5 / 24h / per_conn / readonly
drop message = PTR record check failed
! condition = ${lookup
dnsdb{defer_never,ptr=$sender_host_address}{yes}{no}}
! ratelimit = 10 / 24h / per_conn / leaky
However, the above doesn't seem to work - the second acl matches 10
times, and after that exim just accepts the connection - the first acl
never kicks in:
</snip>
2019-07-29 06:39:12 H=[185.208.211.29] rejected connection in "connect"
ACL: "Reject: PTR record check failed (185.208.211.29)"
2019-07-29 06:39:12 no host name found for IP address 185.208.211.29
2019-07-29 06:39:27 H=[185.208.211.29] rejected connection in "connect"
ACL: "Reject: PTR record check failed (185.208.211.29)"
2019-07-29 06:39:27 no host name found for IP address 185.208.211.29
2019-07-29 06:39:33 1hryNd-0003te-FT <= tRangel@???
H=(WIN-JOFTN72POB6) [185.208.211.29] P=esmtp S=1309
2019-07-29 06:39:34 1hryNd-0003te-FT => spam_victim@???
R=send_direct T=remote_smtp H=gmail-smtp-in.l.google.com [64.233.184.26]
X=TLSv1.2:ECD>
2019-07-29 06:39:34 1hryNd-0003te-FT Completed
It is possible that I am misunderstanding how ratelimit works though.
Any helps would be appreciated.
