Re: [Shorewall-users] Rate limit remote smtp connections....

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Wed, Feb 14, 2007 at 02:23:30PM +0200, Harry Lachanas wrote:
> Hi all ...
>=20
> Happy to be back for a question/suggestion again ....
>=20
> I came accross this weird situation.
>=20
It is not weird.  Read on.

>=20
> I take care of a site running shorewall 3.0.5  in the firewall and qmail=
=20
> in the DMZ ( mail server ).
>=20
>=20
> A remote clients  smtp server denies to accept more than one incomming=20
> smtp connections from my site  :-(.
> In my site users are always sending mail to this server ( 50 - 60 per day=
 ).
>=20
> So when an smtp transfer is on ... the next ones gets stuck in the queue=
=20
> and the message I get in the log is
> "Remote_host_said:_421_#4.4.5_Too_many_connections_from_your_host" =20
>  and finally gets bounced ( 3 hour queue - life  limit ) depending on=20
> the traffic of  that particular date.

Hmmm.  Perhaps you should get yourself a standards-compliant MTA [0]:

  4.3. Bandwidth hogging (violates SHOULD clause in RFC-2821)
 =20
  qmail unbundles all mail. Common other mail software transfers a mail
  for a...@sa... and b...@sa... in the same transaction.
  qmail makes two separate mail transactions of this, one for
  a...@sa..., one for b...@sa.... This consumes your
  bandwidth, you pay twice with qmail.
 =20
  RFC-2821, section "4.5.4.1 Sending Strategy", recommends that
  multi-RCPT be sent when possible: "When a mail message is to be
  delivered to multiple recipients, and the SMTP server to which a copy
  of the message is to be sent is the same for multiple recipients, then
  only one copy of the message SHOULD be transmitted. That is, the SMTP
  client SHOULD use the command sequence: MAIL, RCPT, RCPT,... RCPT,
  DATA instead of the sequence: MAIL, RCPT, DATA, ..., MAIL, RCPT, DATA.
  However, if there are very many addresses, a limit on the number of
  RCPT commands per MAIL command MAY be imposed. Implementation of this
  efficiency feature is strongly encouraged."
 =20
  Technically, unbundling is only required for VERP mail which is
  exclusively used by mailing list manager software.

>=20
> I 've searched all qmail documentation but I was not able to find a way=
=20
> to limit the number of connections to remote smtp server.
>=20
Because, in this respect, qmail is broken.

>=20
> Is there a safe way to do this in shorewall ( One active smtp connection=
=20
> to a specific remote site only ) ??? With out mails getting bounced back=
=20
> to my users ???
>=20
How will qmail know what is going on?  Its connections will still get
delayed and given long enough will bounce.

Regards,

-Roberto

[0] http://www-dt.e-technik.uni-dortmund.de/~ma/qmail-bugs.html
--=20
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com