rate limit outgoing emails

TGM

Hello everyone,

does someone added an rate limit for the outgoing emails to grommunio? At this moment we are using policyd-rate-limit at our mail server. I did not checked if this is possible with grommunio too. But then I think the web app is out of focus for that, because it is only in the postfix sasl process?

Best, Tobias

crpb

Everything runs through the SMTPD (postfix) so it should also work for internal mails if thats what you are after.

EDIT: ahh now i get it, because the "sasl_username" is only used as it seems o_0.. ok.. and no way to change that?

maybe that? https://www.postfwd.org/

TGM

crpb

thats a interesting point and hint. I just saw in the policy documentation:

"limit_by_sender: Apply limits by sender addresses if sasl username is not found. The defaut is False."

Maybe this works. I will try out.

TGM

Okay, I solved this problem. 🙂 Here is what I did:

I installed policyd-rate-limit via pip3

zypper install python3-pip pip3 install policyd-rate-limit cp /usr/lib/python3.6/site-packages/policyd_rate_limit/policyd-rate-limit.yaml /etc/policyd-rate-limit.yaml

In the config file I set "limit_by_sasl" to False and "limit_by_sender" to True. Then I added in /etc/gromox.cfg outgoing_smtp_url=smtp://localhost

Now the emails which are sent via SASL and via Grommunio Web are seen and counted by policyd-rate-limit and I can configure limits regarding to the addresses or some defaults.

Best, Tobias

TGM

Unfortunately it works not like I hoped. Incoming mails are counted too... So please do not use this solution 😉

TGM

Just a short update... I found an solution:

I installed policyd-rate-limit via pip3

zypper install python3-pip
pip3 install policyd-rate-limit
cp /usr/lib/python3.6/site-packages/policyd_rate_limit/policyd-rate-limit.yaml /etc/policyd-rate-limit.yaml

In the config file I set "limit_by_sasl" to False and "limit_by_sender" to True. Then I added in /etc/gromox.cfg outgoing_smtp_url=smtp://localhost:10025

After that I configured policyd-ratelimit in Postfix. For that add to /etc/postfix/main.cf:

submission_restrictions = check_policy_service unix:/var/spool/postfix/ratelimit/policy

Add the 10025 service to /etc/postfix/master.cf and change the submission configuration to use policyd too:

submission inet  n       -       n       -       -       smtpd
    -o smtpd_data_restrictions=$submission_restrictions
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING


127.0.0.1:10025 inet n - n - - smtpd
  -o smtpd_data_restrictions=$submission_restrictions
  -o milter_default_action=accept
  -o milter_protocol=6
  -o mynetworks=127.0.0.0/8
  -o smtpd_recipient_restrictions=permit_mynetworks,reject

Now just restart gromox, postfix and policd-rate-limit and it should work! Every outgoing mail is now counted and if the limit is reached there will be an error message in the logfiles or available for the user. With that, it is impossible that a hacked account can send out thousands of emails and your server will be later on the blacklist or never 😉