Rate limit incoming mail on Postfix

Today I ran into a problem with one of our ISPConfig 3 installations.

It hosts a domain which seems to be very attractive for spammers, so what happened .. my mail server got hammered by a spam bot net (
not yet blocked by spamhaus as of typing this post).

In ISPConfig 3 Postfix talks with your MySQL server, to check for filters/rules/etc for each mail it receives, this resulted in more problems:
– MySQL reaching it’s max connections of (in my case) 250
– The ISPConfig web interface logging me in/out automatically (because it couldn’t connect to MySQL)
– The hosted websites giving errors because of the same reason.

You can’t completely block these, since the amount of IP different addresses is insane, so let postfix keep track of it and handle the situation!

We’ll be using the following variables in our main.cf to do that:

  • smtpd_soft_error_limit – The number of errors a client is allowed to make without actually delivering mail to the server before postfix starts to slow down it’s responses to the client. (default: 10)
  • smtpd_hard_error_limit – The maximum number of errors a client is allowed to make before postfix starts to disconnect them right away . (default: ${stress?1}${stress:20})
  • smtpd_error_sleep_time – The amount of delay postfix will set on it’s responses to the client when they reach more then $smtpd_soft_error_limit and less then $smtpd_hard_error_limit
  • smtpd_client_connection_count_limit – The default is 50, pointless in my opionion, I don’t want the same client to have 50 concurrent connections for sending mail to me, so I lowered this to 10, more then enough imho. (default: 50)
  • smtpd_client_connection_rate_limit – This tells postfix to allow N connections per $anvil_rate_time_unit (default: 60s). I lowered this value to 60. (default: 0)

I’ve added the following lines to my main.cf file:

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 60

Restart postfix.

After a minute or so I noticed a drop in incoming spam, which resulted in less MySQL connection usage, which is what I wanted.

Leave a Reply

Your email address will not be published.