[Greylist-users] Greylisting status
Evan Harris
eharris at puremagic.com
Fri Jul 11 16:54:42 PDT 2003
On Fri, 11 Jul 2003, David F. Skoll wrote:
> On Fri, 11 Jul 2003, Evan Harris wrote:
>
> > An easy solution is to limit the sendmail children to some reasonable number
> > for your normal mail load. Add:
> > define(`confMAX_DAEMON_CHILDREN', `40')dnl
>
> Be aware that this opens you up to DoS attacks. Bad Person simply opens
> 40 SMTP connections to your server and leaves them idle; no-one else
> can connect.
While strictly true, I would argue that anyone intent on DOS'ing you will be
able to anyway. Sendmail is normally configured to reject connections once
the machine load average goes over a certain point anyway. All a DOS'er has
to do is connect enough times that you start hitting swap, and new
connections will be blocked anyway.
At least this way, only mail is affected, the rest of the machine doesn't
become sluggish. DOS's can also be taken care of with other sendmail config
options tuning the amount of time allowed for commands, or by firewall
rulesets.
> > I've added a note about this problem to the INSTALL file, which will go out
> > with the next release (which I expect in a few days). Having so many copies
> > of the milter running also consumes large amounts of memory, which is a
> > problem for some people with smaller amounts of memory/swap. This is an
> > easy fix for that as well.
>
> MIMEDefang (http://www.mimedefang.org/) lets you tailor how many filters
> you have running independent of the number of Sendmail processes.
I'll check it out. I've been considering either rewriting the whole
perl-milter in C, or writing my own C-shim to be able to get rid of
Sendmail::Milter's problems anyway.
Evan
More information about the Greylist-users
mailing list