HowTo: Rate Limiting in Postfix

When searching the net for “postfix rate limit” one will most likely come across articles like Rate Limiting with Postfix with lots of useful remarks about reasons to apply such restrictions.
It may be worth to add a link to the Postfix manual about smtpd_client_message_rate_limit.
The procedure to configure this feature in UCS is comparable but we have to remember that we should apply the change to rather than as we did for example in HowTo: adjust the time until warnings or errors for temporarily undeliverable messages are sent.

cat >> /etc/postfix/ <<EOF
smtpd_client_message_rate_limit = 2
anvil_rate_time_unit = 60s

ucr commit /etc/postfix/ 

service postfix restart

From my perspective the limit of 2 allowed messages within 60 seconds is a good approach for human senders.

It might be worth to have a look at /var/log/mail.log to see what happens once the limit applies:

Jan 27 13:21:40 ucs01 postfix/smtpd[27430]: connect from some.client.hostname.tld[]
Jan 27 13:21:41 ucs01 postfix/smtpd[27430]: warning: Message delivery request rate limit exceeded: 3 from some.client.hostname.tld[] for service submission

This log entry also shows, that the limit is counted by the ip address of the client. This means that it is only useful to apply a limit if we allow - hopefully - authenticated mail submissions for mailclients like Thunderbird. Locally installed Webmail systems will not be limited in most scenarios. Remote Webmail systems may run into the limit though, so using this restriction is rather counterproductive.
We also have to take into account that any IP from mynetworks (UCRV: mail/postfix/mynetworks) is not restricted. It is btw not really a good idea to place the whole local network into mynetwork as it opens the doors much to wide.

Conclusion: using smtpd_client_message_rate_limitis a good start and better than no protection. If we need more fine grained rules for the Limts we might consider a policy daemon like mtpolicyd which requires a bit more effort.

1 Like

This topic was automatically closed after 24 hours. New replies are no longer allowed.