1 (edited by Dominique 2014-03-31 22:35:16)

Topic: Why can domain admins change domain throttling settings?

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Centos 6
- Related log if you're reporting an issue:
====

I want to give a customer the possibility of creating their own email accounts on their domain so I made one of the users domain admin.  By default I limit every domain to send only 100 emails/day to prevent a hacked pc from sending thousands of emails in an hour (which I experienced in the past before iRedAdmin, almost the reason I chose to install the new server).

I now tried logging in as that domain admin user and he/she is able to change those throttling settings, which I think is not logic.  Throttling is something I want to enforce on my customers... if they can change it, the system is wide open again for crashing on spam.

I don't mind if they set per user throttling as they would have to stay within the total limit I set up anyway (I assume that's the way it works).

EDIT:  I just noticed that the domain throttling is per user and not per domain... where can I enforce limits per domain?

EDIT2:  I just checked ClueBringer and it seems like it's perfectly possible to have per domain throttling instead of per-every-user-in-a-domain throttling... is this configurations accessible from within iRedAdmin-Pro?

2

Re: Why can domain admins change domain throttling settings?

Which version of iRedAdmin-Pro are you running?

With iRedAdmin-Pro-MySQL-1.7.0 and later releases, global admin can control whether or not normal domain can view or update certain domain profiles and user profiles, including throttling.

3

Re: Why can domain admins change domain throttling settings?

I'm using 1.8.1 

Where can I change those settings?

Also, I studied policyd today and I figured that I could add some kind of default quota tracking Sender:@domain and using iRedAdmin-Pro to override this.   Any chance of this causing problems?  Of course I will be responsible for the implementation wink

4

Re: Why can domain admins change domain throttling settings?

I think I found it myself... under domain>advanced>disabled domain profiles

sorry for being lazy yikes

5

Re: Why can domain admins change domain throttling settings?

So what I'm planning on doing (with your approval):

- remove all sending quota I configured before in iRedAdmin-Pro
- use policyd control panel to add default quota to every domain tracking Sender:@domain
- add higher priority quota to selected domains if necessary (also in policyd control panel)
- prevent access to throttling for every domain admin

This way I won't be using iRedAdmin-Pro for the quota... I just wanted to check if there could be any conflict with the iRedAdmin-Pro functionality... I don't mind having to do it like that, as what you provided doesn't fit my needs.

Your opinion?

6

Re: Why can domain admins change domain throttling settings?

I suggest you manage Cluebringer with iRedAdmin-Pro. iRedAdmin-Pro may not understand your custom rules.
if you need some features which not available in iRedAdmin-Pro, please just let me know. if all customers can benefits from this feature, i'm willing to implement it.

7 (edited by Dominique 2014-04-03 15:47:30)

Re: Why can domain admins change domain throttling settings?

After thinking it through for a while I realized that your way of limiting per user instead of per domain does offer me the same level of protection I desire (against infected computers sending spam). 

The only hassle for me right now is having to set the limits per domain... so a way to do exactly what you did so far but with an option to set a global limit for the whole server (ie. x mails / x time / user for every user on the domain) would make this easier to maintain and keep things cleaner as only 1 rule would have to be made in cluebringer.   

Of course with what you did now this could be overridden for domains/users needing a slightly higher limit.

thank you in advance!

8

Re: Why can domain admins change domain throttling settings?

Dominique wrote:

with an option to set a global limit for the whole server (ie. x mails / x time / user for every user on the domain) would make this easier to maintain and keep things cleaner as only 1 rule would have to be made in cluebringer.

Check menu in the latest iRedAdmin-Pro: System -> Throttling.
if you're running iRedAdmin-Pro-MySQL, the latest version is 1.8.1.

9

Re: Why can domain admins change domain throttling settings?

You keep surprising me wink 

I saw that option before and the way it's explained now would make one think it's the limit of all emails sent by every user on the server, together.  I did notice that as you're not native English some things are quite open for interpretation... but it seems like this does what I need (checked database after creating a rule) so thank you!

Guess I'll be checking every option in the console again with an open mind and see what else it does exactly.

To correctly explain this it should be changed from

This is default throttling applied to all inbound and outbound emails.

to

This is default throttling applied to all individual accounts.

10

Re: Why can domain admins change domain throttling settings?

Dominique wrote:

I saw that option before and the way it's explained now would make one think it's the limit of all emails sent by every user on the server, together.  I did notice that as you're not native English some things are quite open for interpretation... but it seems like this does what I need (checked database after creating a rule) so thank you!

Sorry about the confusion. It's a bug of me, not good at English. sad

Dominique wrote:

This is default throttling applied to all individual accounts.

Yours is better, i will use it in next release.

11

Re: Why can domain admins change domain throttling settings?

Hi,

Forgive but now I am confused.
It applies to all accounts but to what? Inbound ? Outbound ? or all emails for all accounts ?

Maybe it was not so bad worded anyways, in my opinion, as all inbound and all outbound means what it means ...ie ALL email. all accounts could mean inbound OR outbound or both.

sorry to nitpick but as we are speaking about wording anyways...

anyways just my little thoughts.
smile

kind regards,

12

Re: Why can domain admins change domain throttling settings?

riverco wrote:

It applies to all accounts but to what? Inbound ? Outbound ? or all emails for all accounts ?

in the setting page, you can see options for Inbound and Outbound. Check screenshot below:

http://www.iredmail.org/images/iredadmin/system_throttling.png

13

Re: Why can domain admins change domain throttling settings?

riverco wrote:

It applies to all accounts but to what? Inbound ? Outbound ? or all emails for all accounts ?

Maybe it was not so bad worded anyways, in my opinion, as all inbound and all outbound means what it means ...ie ALL email. all accounts could mean inbound OR outbound or both.

riverco... whether it applies to inbound and/or outbound is for you to select with the options available on the left... the info on the right was confusing for me on whether it counted all emails for all accounts of all domains on the server together (what it kind of suggested) or whether it does the same but for every mailbox individually... using the word 'individual' in the description solves this...  It was never my intention to confuse anyone even more... sorry for that!