1 (edited by bw1984 2014-06-13 16:53:11)

Topic: Throttling not working

==== Required information ====
- iRedMail version: latest (w/ iRedAdmin Pro latest)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: CentOS 6
- Related log if you're reporting an issue: (see below)
====

My throttling doesn't appear to be working and i recently got my Amazon SES account suspended due to a compromised account as a result of this. One of my mailboxes was able to send out ~8000 emails within about 15 minutes before i spotted it.

I followed all of the steps in this guide -> http://www.iredmail.org/wiki/index.php? … HEL.CentOS and have tested the throttling on a few test accounts by turning the send limit down really low and sending a couple of emails out to external addresses (not entirely sure if local inboxes count towards throttling?) and all of the emails arrive, even the ones over the send limit.

Below is the output of running "postconf -n" as requested;

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_size_limit = 4096000
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = XXXXXXXX.com
myhostname = server.XXXXXXXX.com
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = server.XXXXXXXX.com
newaliases_path = /usr/bin/newaliases
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.11.0/README_FILES
recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap/relay_domains.cf
relayhost = [smtp.XXXXXXXX.net]:587
sample_directory = /usr/share/doc/postfix-2.11.0/samples
sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:XXXXXX:XXXXXX
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10032
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
transport_maps = proxy:ldap:/etc/postfix/ldap/transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/etc/postfix/ldap/catchall_maps.cf
virtual_gid_maps = static:501
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
virtual_minimum_uid = 501
virtual_transport = dovecot
virtual_uid_maps = static:501

with (hopefully) any server identifying details removed.

I have 2 different main.cf config files, this one is actually for my backup SMTP sending service, since my amazon SES account got suspended. I dont want to switch back until i am confident that throttling is working correctly.

I have also been informed that cluebringer may be involved? although im not sure how exactly as i dont think that was mentioned in the installation instructions.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by bw1984 2014-06-13 17:43:50)

Re: Throttling not working

i think we might need a CAPTCHA on here...

pun_antispam is probably the quickest way to go

3

Re: Throttling not working

*) May i know which version of iRedMail you're running? You can check file
/etc/iredmail-release to get the release number.

*) Are you running Policyd or Cluebringer? If it's Policyd, you have correct setting to
invoke Policyd in Postfix. The most important thing is checking Policyd debug log to see
whether or not you have correct throttling setting and why it doesn't work as expected.
You can turn on debug mode in Policyd, then send testing emails and track its log file.