Hello Emmanuel,
is the logic AND or is it OR? From what I see it is just string comparison so the logic is AND. Is there a way to achieve logic OR? For example either the first value is the same or the second? The key value, can it take regular expression?
Thanks a lot for your comments!
Here is what I did try (the limits are very low to let me test without sending too many emails):
ratelimit "virtualmin_limit_local" rcpt 3 / 10m key "%f"
racl greylist addr 127.0.0.1 ratelimit "virtualmin_limit_local" delay 11m autowhite 0m msg "Message quota exceeded"
ratelimit "virtualmin_limit" rcpt 3 / 10m key "%i"
racl greylist from /.*/ ratelimit "virtualmin_limit" delay 11m autowhite 0m msg "Message quota exceeded"
racl whitelist default
The first rate limit rule works fine (the emails indeed come from 127.0.0.1). The problem is that the local emails also hit the second ruleset and eventually 127.0.0.1 gets greylisted if the combined amount of local emails is over the limit. The second ruleset should work for everything except 127.0.0.1 but I didn't find a way to invert the logic there. (Also if some message hits one rule it still propagates down so it can also hit another, the logic is not like in iptables for example). Maybe I can use the regular expression syntax to invert the logic, but in this case I need to use the actual full localhost name which is not as convenient as the IP. Can you advise me on that?
Yes, if the PHP application is able to talk SMTP then it can be much easier, but only few can so we need to keep the mail(); function working. I should investigate if it is possible to fake the "FROM" if you indeed use a PHP appllication that comes from 127.0.0.1 and talks SMTP. In this case we should use the SASL authentication user and create one more rate limit rule.
When adding more keys, for example
ratelimit "virtualmin_limit_local" rcpt 3 / 10m key "%f%i"
The admin notification is better if we log the rate_limit event then other scripts will parse the log under some cron schedule and send proper warnings. I think this one is already available in Virtualmin/Webmin
Thanks again for your time!
Georgi
On Fri, Apr 18, 2014 at 7:41 PM, <manu@netbsd.org> wrote:
Georgi Petrov <georgi.petrov@...> wrote:I guess you used an ACL whith clause addr 127.0.0.1, but perhaps the
> - How I can achieve two different rate limit rules for localhost and non
> localhost (I have tried with some rules but they didn't work)?
message was sent from ::1 (IPv6) ?You need your PHP application to talk SMTP instead of using the system
> - Is there a better way to limit the emails from PHP? They cannot be
> rejected, so they go in the mail queue and wait there. The queue tries to
> resend them every few minutes and they are rejected again until the rate
> drops under the limit.
mail/sendmail/whatever command.You could add a urlcheck clause at the end of your racl blacklist ACL:
> - Can we achieve some sort admin notification if the ratelimit is blocking
> somebody? Now I can have warning notifications if the mail queue gets very
> big.
if ratelimit does not match it is not evaluated, and if ratelimit
matches, the evaluation continue to the urlcheck clause.
Your urlcheck clause will always evaluate to true but it will send the
signal to a webservice where you can do whatever you want.
An alternative is to log the even, and have another process parsing the
logs.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...