Re: [ietf-smtp] [Emailcore] Proposed ESMTP keyword RCPTLIMIT

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 20 April 2021 20:59 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CB6C3A1A64 for <ietf-smtp@ietfa.amsl.com>; Tue, 20 Apr 2021 13:59:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5UFi0nwzD8EY for <ietf-smtp@ietfa.amsl.com>; Tue, 20 Apr 2021 13:59:22 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC7963A1A6C for <ietf-smtp@ietf.org>; Tue, 20 Apr 2021 13:59:22 -0700 (PDT)
Received: from [192.168.1.177] (unknown [192.168.1.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 6321DC01BA for <ietf-smtp@ietf.org>; Tue, 20 Apr 2021 16:59:19 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <01RY292U84V40085YQ@mauve.mrochek.com>
Date: Tue, 20 Apr 2021 16:59:19 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: ietf-smtp@ietf.org
Message-Id: <5D843F13-8F32-4495-8A8B-5A934AC2D938@dukhovni.org>
References: <cone.1615844513.220592.51342.1004@monster.email-scan.com> <20210315234648.563C0708B340@ary.qy> <CAO=DXp-+fJwsNegzu3zgwDLtCcSF104AUF=i+_GMgSYVBAKjWg@mail.gmail.com> <01RY24IJ225Q0085YQ@mauve.mrochek.com> <4fe09f20-66ee-b3c-94bb-be654b8354bc@taugh.com> <01RY292U84V40085YQ@mauve.mrochek.com>
To: ietf-smtp@ietf.org
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/reizbaaPtDhYQdIr05kdTjfVpb8>
Subject: Re: [ietf-smtp] [Emailcore] Proposed ESMTP keyword RCPTLIMIT
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 20:59:27 -0000

> On Apr 19, 2021, at 7:33 PM, Ned Freed <ned.freed@mrochek.com> wrote:
> 
> I assume the Exim and Postfix limits are per-host, which in most cases
> translates to per-IP.

The Postfix limits are per-service (essentially host:port), and if we're
just concerned about port 25, then yes, basically per host, but it is
possible on a multi-homed host to treat all the IPs as a single service,
or as separate services.  The distinction is not particularly visible
from outside, so the safe bet is that the limits host-wide.  Things are
perhaps complicated if the same host has multiple names...

The potential load limits that can be enabled are:

  * CONNECTION COUNT
  * CONNECTION RATE
  * MESSAGE RATE
  * RECIPIENT RATE
  * TLS SESSION NEGOTIATION RATE  (TLS resumptions are free)
  * SASL AUTH RATE

Relevant settings:

       anvil_rate_time_unit (60s)
              The time unit over which client connection rates and other rates
              are calculated.

       smtpd_client_connection_count_limit (50)
              How many simultaneous connections any client is allowed to make
              to this service.

       smtpd_client_connection_rate_limit (0)
              The maximal number of connection attempts any client is allowed
              to make to this service per time unit.

       smtpd_client_message_rate_limit (0)
              The maximal number of message delivery requests that any client
              is allowed to make to this service per time unit, regardless of
              whether or not Postfix actually accepts those messages.

       smtpd_client_recipient_rate_limit (0)
              The maximal number of recipient addresses that any client is
              allowed to send to this service per time unit, regardless of
              whether or not Postfix actually accepts those recipients.

       smtpd_client_new_tls_session_rate_limit (0)
              The maximal number of new (i.e., uncached) TLS sessions that a
              remote SMTP client is allowed to negotiate with this service per
              time unit.


       smtpd_client_auth_rate_limit (0)
              The maximal number of AUTH commands that any client is allowed
              to send to this service per time unit, regardless of whether or
              not Postfix actually accepts those commands.

-- 
	Viktor.