Limiting the number of emails sent by a given auth-user/domain/IP
October 8, 2020 Roberto Puzzanghera 11 comments
If you want to avoid the risk of compromising your server because of accounts who are sending messages indiscriminately to the world, due to the fact that their password was violated in some way, then you can consider Luca Franceschini's rcptcheck-overlimit.sh script, which has to be used in conjunction with the rcptcheck patch (a patch derived by Luca himself from an original work of Jay Soffian).
Since in 2016 Luca has decided to merge his combo with my big patch, he is giving his personal contribution to it. He fixed many bugs and added new important patches and functionalities, often writing himself the code. The script shared here is just the last one and it's quite surprising (at least for me) to observe how many things are performed putting together just 20 lines.
- thanks to Luca Franceschini (Digitalmind)
- version 2020-10-08
- rcptcheck patch
- rcptcheck-overlimit.sh
How it works
What follows is a cut&paste of the notes that you can read in the header of the script.
This script limits the number of emails sent by relayclients (authusers or ip with RELAYCLIENT in tcprules). You must define the variable RCPTCHECK=/var/qmail/bin/rcptcheck-overlimit.sh and RCPTCHECKRELAYCLIENT="1".
This script will be called for every accepted rcptto. If RELAYCLIENT is not defined the script terminates with the exit code 112 (ignore/accept). Messages sent to domains in rcpthosts will NOT be accounted for.
For every accepted rcptto with RELAYCLIENT defined, a char 'X' will be appended to a file in the directory $OVERLIMITDIR; this file name will be the authuser, if defined, or the client ip address.
The script will look for an entry corresponding to the client (authuser or ip) in $LIMITSCONTROLFILE and use the number found as the maximum number of allowed outgoing emails.
If the OVERLIMITDIR is not writable by the user running qmail-smtpd or the $LIMITSCONTROLFILE cannot be read, the script terminates with 112 (ignore/accept). In case of overlimit, an exit code 113 (reject/overlimit) will be returned to qmail-smtpd and the connection will be dropped with a 421. $LIMITSCONTROLFILE can contain comments, '0' means unlimited, the entry starting with ':' will be considered the default limit.
If the default entry can't be found, the default will be set to unlimited. In case more lines match the client name, only the last will be used.
A cronjob must be created to periodically cleanup files in $OVERLIMITDIR: to use daily limits, schedule the job once a day:
0 3 * * * find /var/qmail/overlimit/ -type f -exec rm -f "{}" \; 1> /dev/null
$LIMITSCONTROLFILE example:
:1000 1.2.3.4:3000 test@example.com:0
Configuration
Download as follows
wget -O /var/qmail/bin/rcptcheck-overlimit.sh https://notes.sagredo.eu/files/qmail/patches/rcptcheck/rcptcheck-overlimit.sh chmod +x rcptcheck-overlimit.sh
Create the $OVERLIMIT directory that will store the informations about the number of messages sent by each IP/auth-user, and assign it full priviledges to the user who runs qmail-smtpd (vpopmail in our case):
mkdir /var/qmail/overlimit chown -R vpopmail.vchkpw /var/qmail/overlimit chmod -R 755 /var/qmail/overlimit
create the relaylimits control file and adjust it to your needs according to the instructions above
cat > /var/qmail/control/relaylimits << __EOF__ :1000 __EOF__
Modify your qmail-smtpd/run and qmail-submission/run scripts
export RCPTCHECK=/var/qmail/bin/rcptcheck-overlimit.sh export RCPTCHECKRELAYCLIENT="1"
Set up a cronjob to periodically cleanup the files in $OVERLIMITDIR, for example:
0 3 * * * find /var/qmail/overlimit/ -type f -exec rm -f "{}" \; 1> /dev/null
And of course remember to restart qmail.
qmail notes
Pay me a coffee:
LXC scripts
Other contents
Recent comments
qq_temporary_problem_(#4.3.0)
June 2, 2023 06:32
qq_temporary_problem_(#4.3.0)
June 1, 2023 21:18
qq_temporary_problem_(#4.3.0)
May 31, 2023 18:22
qq_temporary_problem_(#4.3.0)
May 31, 2023 14:42
qq_temporary_problem_(#4.3.0)
May 31, 2023 14:33
Thank you! for all the documentation, patches and support
May 26, 2023 08:42
free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 15:25
free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 07:46
See also...
Tags
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin
Comments
rcptcheck-relaylimit known bug fix
Tony Fung October 7, 2020 06:35
Hi Roberto,
Regarding to the known bug, I modified line 55 in "rcptcheck-overlimit.sh" as underneath and works well on CentOs 8.2:
-value=$(eval ${PREFILTER} | grep -Fi "$FILTEREDSMTPAUTHUSER:" | tail -1); limit="${value##*:}" # specific authuser+value=$(eval ${PREFILTER} | grep -i ^"$FILTEREDSMTPAUTHUSER:" | tail -1); limit="${value##*:}" # specific authuser
After that, "info@example.com" does not match "testinfo@example.com". Hope this can help.
Reply | Permalink
rcptcheck-relaylimit known bug fix
Roberto Puzzanghera Tony Fung August 22, 2021 10:35
Tony, I hope you can read this.
The above modification is not distinguishing users belonging to same domain here...
I'm restoring the original version for the time being.
For anyone interested in doing tests this is the modified version and this is the original script by Luca Franceschini
Reply | Permalink
rcptcheck-relaylimit known bug fix
Roberto Puzzanghera Tony Fung October 8, 2020 16:21
Great! Thank you
Reply | Permalink
Dash in relaylimits
Clemens May 2, 2019 11:39
At the moment, the users listed in /var/qmail/control/relaylimits are without the dash(es) in user and domain part, because the script trims them away:
I think the dash-char has to be escaped in the script to keep the dash-char, because the dash-char is used to define character-ranges (http://linuxcommand.org/lc3_man_pages/tr1.html)
Reply | Permalink
Dash in relaylimits
Roberto Puzzanghera Clemens May 6, 2019 17:43
Corrected. Thanks for the contribution
Reply | Permalink
usage report
Sam Tang January 19, 2019 02:02
Hi,
Thanks for your information, I would like to share a tips for usage report.
Add this to crontab:
59 2 * * * /usr/bin/ls -lS /var/qmail/overlimit/ | /usr/bin/grep vpop | /usr/bin/awk '{ print $5" "$9 }' | /usr/bin/column -t | /usr/bin/mail -s "Overlimit Stats" you@youremail.com > /dev/null 2>&1change the email "you@youremail.com" to your email address, then everynight will send an email report to administrator.
Reply | Permalink
usage report
Roberto Puzzanghera Sam Tang January 19, 2019 08:12
Thank you. I'll check it out.
Reply | Permalink
rcptcheck with starttls
Ryan November 30, 2018 00:12
Hi there,
Always thankful for this great documentation.
Rencently I found this rcptcheck patch and tried to apply my mail server.
Everything looks fine without any error during patching and compiling.
But once it's applied, starttls doesn't work with this new patch.(I used combined patch, not this patch separately.- the combined patch is also containing this rcptcheck, right?)
qmail-smtpd and qmail-submission (I'm using it as qmail-smtpd-ssl) are actually running.
But if I try to access with starttls it's not accessbie like below.(nothing shows after "CONNECTED").
So, I had to rolled back to the old patch...
Do you have any idea?
Thanks in advance.
Reply | Permalink
rcptcheck with starttls
Roberto Puzzanghera Ryan November 30, 2018 13:13
How did you configured submission as qmail-smtpd-ssl?
Reply | Permalink
rcptcheck with starttls
Ryan Roberto Puzzanghera December 2, 2018 19:43
Hi Roberto,
This is the run file of qmail-smtp-ssl.
Thanks,
Reply | Permalink
rcptcheck with starttls
Roberto Puzzanghera Ryan December 3, 2018 20:27
Honestly I don't know what might be the cause... I also tried to configure qmail-submission as qmail-smtpd-ssl and it works here...
Reply | Permalink