How-To: Rate Limit Outbound Mail In Postfix Using PostFWD On CentOS 6.X

PostFWD v1.0+ (we will install v1.3.5)

Postfix v2.5+ (we will install v2.6.6)

CentOS 6.x (we are working in 6.8 x64)

You may also need things such as nc (netcat), telnet, and various Perl modules (detailed later) 

Install Postfix

Postfix is a strong, reliable and extremely common SMTP server. CentOS 6 comes preinstalled with Postfix, but to use PostFWD you need to ensure you are running a version higher than 2.5.

Find out using ‘rpm’:

Or use ‘yum’:

Once installed, if for some reason you were using sendmail as your default MTA (Mail Transfer Agent), you’ll need to change this to postfix using ‘alternatives’:

Check you are running a valid version of Postfix:

Ensure Postfix starts on a system reboot:

Configure Postfix

Configuring Postfix is a rather open ended task, and will depend on what you are using the SMTP server for. If you have come this far, you likely already have a Postfix configuration, or you are simply using it to relay mails for a specific application. Either way, you should look to set some of the most basic Postfix configuration options in ‘/etc/postfix/main.cf’:

If you are relaying from a specific location/server, you will of course need to adjust how you do this. This How-To is not a Postfix/SMTP Server configuration guide. It is a PostFWD integration guide to Postfix.

Install PostFWD

PostFWD, or Postfix Firewall Daemon, is a daemonized process that acts as a check policy service for postfix. It has a customisable rule-set that it applies dynamically to any and all mail that Postfix sees, we’ll touch more on that later. It’s very powerful, and offers several mail handling features that would otherwise not be possible in Postfix alone (or any other MTA for that matter).

We need version 1.0 or higher, so grab the tarball from postfwd.org, and run through some initial setup steps:

Woah there, it’s not that easy.. As the PostFWD documentation states quite adamantly, this will not work (or start) without a couple of Perl modules installed.

You’ll need to do the rest in ‘cpan’

Once all of the Perl modules (and Perl) are installed, it’d be a great idea to issue a yum update, and reboot the system. Now you are ready to continue and configure PostFWD.

In terms of configuration, the world is your oyster with PostFWD. As the name suggests, it is essentially a firewall for your mail server, it can allow, drop, defer, reject silently, rate limit, rule match by message character counts, body sizes, send frequency, or a combination of any number of these factors.. Want to stop users x, y and z from sending more than 200Mb’s worth of attachments in a 12 hour period? No problem.

In this specific example, we want to rate limit (rather aggressively) all outbound mail to a specific domain. Specifically we don’t want to be sending any more than 10 emails every 30 minutes. Mails sent after this limit is reached will get rejected permanently. Mails within that limit can send at any frequency (unlike the stock implementation of rate limiting within postfix itself, where 10 emails in 30 minutes limit would delay ALL mails, and send 1 mail every 3 minutes, sending ALL mails eventually. In this scenario, that is not helpful.) 

Check everything’s working:

At this point it’s a good sanity prod to check if everything is up and listening on the ports you expect them to be. Use netstat to have a look at the two ports in question, you should see something strikingly similar to the below.

If you don’t see the above, it means one of both of the services are either not running, or not able to bind to their respective ports, check the services are running, check things like SELinux aren’t stopping applications from binding to ports, check messages or your other syslog locations for evidence of problems.

Configuring PostFWD:

Earlier on, you copied postfwd.cf into /etc/postfix. It’s time to configure that with your rules. We are going to be defining just one, to rate limit as described above, but you will likely want a lot more, and also a catch-all style rule to be able to match “everything else”. Remember that our example was built on a custom internal mail server that has one specific task to do.

In this example, the only parts of the pre-supplied postfwd.cf we keep are the following:

Note our rate limiting rule, the syntax is fairly straight forward. Define the recipient domain, give it the ‘rate’ action, and then tell it how many messages to limit, in what time frame, and then what triggered action happens if it is met. For us, we chose to reply with a 421 4.7.1 SMTP reply, thus rejecting the inbound RCPT command from the mail server.

Once you have your rule in place, check that PostFWD parses it correctly:

Great!

Trigger the rate limit manually to see how PostFWD replies to it:

PostFWD comes with a “sample request” file that you can pipe into PostFWD to see how it reacts to differing rules. Modify the following file enough to suit your rate limit criteria

Now throw that sample request at PostFWD using netcat (you may need to install this with ‘yum install nc’).

The action “DUNNO”, although worrying at first, is actually the desired outcome. PostFWD doesn’t know what to do with the message, so it states “DUNNO” back to Postfix and lets the message pass. Keep firing that command until you hit your rate limit.

BINGO! We hit the rate limit (I’ve excluded pointless command repetition from this guide). You can see that as soon as the rate limit is hit, PostFWD applies our own custom action that we set earlier. 421 4.7.1, message rejected. Now we just need to make that happen automatically, and with Postfix.

Integration with Postfix

The integration of PostFWD into Postfix is realtively simple. For this example, we are going to be adding PostFWD as a check_policy_service server for postfix to look up against. As we are specifically filtering on the recipient domain, I am going to add this to the “smtpd_recipient_restrictions” section of Postfix. This section may or may not exist already in your Postfix’s main.cf. 

Open /etc/postfix/main.cf and add or amend the following:

The key to note here, is that the check_policy_service is ABOVE items such as permit_mynetworks. For us, localhost is a trusted net (see the config earlier on), our mails that we wish to rate limit are also from localhost, so if permit_mynetworks comes first, the messages would be forever passed and sent, as Postfix would never bother checking with PostFWD via the check_policy_service (it stops processing after a successful OK reply).

And that’s it.. Restart postFWD, and then restart Postfix (PostFWD should always be up before Postfix), and you’re good to go. Rate Limit events are logged to /var/log/maillog, along with all other successful or not mail operations. You’ll want to tail this log for a while to see if anything’s going wrong.

Testing:

A nice and controlled way of testing with actual mail is to telnet into Postfix from the system itself.

This connects to the SMTP server (postfix), HELO’s as a mail server, defines a FROM: address, defines and TO: address, inputs some message body data, and then quits after the message is queued in postfix. Everything in yellow is text you have to type in.

You can repeat this until you hit your rate limit, tail the maillog in another screen whilst you do this, you’ll see Postfix happily relay all the mail up until you hit your defined rate limit, PostFWD will then step in and reply with the 421 message back to your telnet session. You’ll never get a chance to input a TO: address or any message body data. Perfect.

Summary;

So to recap, we:

• • Installed Postfix and set it as the systems default MTA

  • Configured the basics of Postfix just to get it to function in a primal MTA state

  • Installed PostFWD

  • Configured and tested rate limiting rules in PostFWD

  • Integrated PostFWD with the recipient check stage of Postfix

The possibilities with PostFWD are extremely numerous, I’d recommend anyone embarking on this to check out the full documentation of both Postfix and PostFWD. Something that proved invaluable to me at times during our configuration and testing of this (and multiple other PostFWD instances).

            ----------------------------X---------------------------------------------

mysql> select * from policyd.quotas; +----+----------+---------------------+-----------------------+--------+---------+------+----------------------------------------------------------+----------+ | ID | PolicyID | Name                | Track                 | Period | Verdict | Data | Comment                                                  | Disabled | +----+----------+---------------------+-----------------------+--------+---------+------+----------------------------------------------------------+----------+ |  6 |        3 | Limit incoming user | Sender:user@domain    |   3600 | REJECT  | 501  | Limit incoming mail from a user to 700 messages per hour |        0 | |  7 |        3 | Limit incoming IP   | SenderIP:/32          |   3600 | REJECT  | 699  |                                                          |        0 | |  8 |        2 | Limit outgoing      | Sender:user@domain    |   3600 | REJECT  | 300  | Limit outgoing to 300 per hour                           |        0 | |  9 |        3 | Incoming to user    | Recipient:user@domain |   3600 | REJECT  | 499  |                                                          |        0 | +----+----------+---------------------+-----------------------+--------+---------+------+----------------------------------------------------------+----------+

        ---------------------------X----------------------------------------------

------------------

ratelimit-policyd

New Features

The original forked code from bejelith/send_rate_policyd was improved with the following new features:

• • automatically inserts new SASL-users (upon first email sent)

  • Debian default init.d startscript

  • added installer and documentation

  • bugfix: weekly mode did not work (expiry date was not correctly calculated)

  • bugfix: counters did not get reset after expiry

  • additional information in DB: updated timestamp

  • added view_ratelimit in DB to make Unix timestamps human readable (default datetime format)

  • syslog messaging (similar to Postfix-policyd) including all relevant information and counter/quota

  • more detailed logging

  • added logrotation script for /var/log/ratelimit-policyd.log

  • added flag in ratelimit DB table to make specific quotas persistent (all others will get reset to default after expiry)

  • continue raising counter even in over quota state

Installation

Recommended installation:

$ cd /opt/ $ git clone https://github.com/onlime/ratelimit-policyd.git ratelimit-policyd $ cd ratelimit-policyd $ chmod +x install.sh $ ./install.sh

Create the DB schema and user:

$ mysql -u root -p < mysql-schema.sql

GRANT USAGE ON *.* TO policyd@'localhost' IDENTIFIED BY '********'; GRANT SELECT, INSERT, UPDATE, DELETE ON policyd.* TO policyd@'localhost';

Adjust configuration options in daemon.pl:

### CONFIGURATION SECTIONmy @allowedhosts    = ('127.0.0.1', '10.0.0.1'); my $LOGFILE         = "/var/log/ratelimit-policyd.log"; my $PIDFILE         = "/var/run/ratelimit-policyd.pid"; my $SYSLOG_IDENT    = "ratelimit-policyd"; my $SYSLOG_LOGOPT   = "ndelay,pid"; my $SYSLOG_FACILITY = LOG_MAIL; chomp( my $vhost_dir = `pwd`); my $port            = 10032; my $listen_address  = '127.0.0.1'; # or '0.0.0.0'my $s_key_type      = 'email'; # domain or emailmy $dsn             = "DBI:mysql:policyd:127.0.0.1"; my $db_user         = 'policyd'; my $db_passwd       = '************'; my $db_table        = 'ratelimit'; my $db_quotacol     = 'quota'; my $db_tallycol     = 'used'; my $db_updatedcol   = 'updated'; my $db_expirycol    = 'expiry'; my $db_wherecol     = 'sender'; my $deltaconf       = 'daily'; # hourly|daily|weekly|monthlymy $defaultquota    = 1000; my $sql_getquota    = "SELECT $db_quotacol, $db_tallycol, $db_expirycol FROM $db_table WHERE $db_wherecol = ? AND $db_quotacol > 0"; my $sql_updatequota = "UPDATE $db_table SET $db_tallycol = $db_tallycol + ?, $db_updatedcol = NOW(), $db_expirycol = ? WHERE $db_wherecol = ?"; my $sql_updatereset = "UPDATE $db_table SET $db_tallycol = ?, $db_updatedcol = NOW(), $db_expirycol = ? WHERE $db_wherecol = ?"; my $sql_insertquota = "INSERT INTO $db_table ($db_wherecol, $db_quotacol, $db_tallycol, $db_expirycol) VALUES (?, ?, ?, ?)"; ### END OF CONFIGURATION SECTION

Take care of using a port higher than 1024 to run the script as non-root (our init script runs it as user "postfix").

In most cases, the default configuration should be fine. Just don't forget to paste your DB password in $db_password.

Now, start the daemon:

$ service ratelimit-policyd start

Testing

Check if the daemon is really running:

$ netstat -tl | grep 10032 tcp        0      0 localhost.localdo:10032 *:*                     LISTEN  $ cat /var/run/ratelimit-policyd.pid 30566  $ ps aux | grep daemon.pl postfix  30566  0.4  0.1 176264 19304 ?        Ssl  14:37   0:00 /opt/send_rate_policyd/daemon.pl  $ pstree -p | grep ratelimit init(1)-+-/opt/ratelimit-(11298)-+-{/opt/ratelimit-}(11300)         |                        |-{/opt/ratelimit-}(11301)         |                        |-{/opt/ratelimit-}(11302)         |                        |-{/opt/ratelimit-}(14834)         |                        |-{/opt/ratelimit-}(15001)         |                        |-{/opt/ratelimit-}(15027)         |                        |-{/opt/ratelimit-}(15058)         |                        `-{/opt/ratelimit-}(15065)

Print the cache content (in shared memory) with update statistics:

$ service ratelimit-policyd status Printing shm: Domain : Quota : Used : Expire Threads running: 6, Threads waiting: 2

Postfix Configuration

Modify the postfix data restriction class smtpd_data_restrictions like the following, /etc/postfix/main.cf:

smtpd_data_restrictions = check_policy_service inet:$IP:$PORT

sample configuration (using ratelimitpolicyd as alias as smtpd_data_restrictions does not allow any whitespace):

smtpd_restriction_classes = ratelimitpolicyd ratelimitpolicyd = check_policy_service inet:127.0.0.1:10032  smtpd_data_restrictions =         reject_unauth_pipelining,         ratelimitpolicyd,         permit

If you're sure that ratelimit-policyd is really running, restart Postfix:

$ service postfix restart

Logging

Detailed logging is written to ``/var/log/ratelimit-policyd.log```. In addition, the most important information including the counter status is written to syslog:

$ tail -f /var/log/ratelimit-policyd.log  Sat Jan 10 12:08:37 2015 Looking for demo@example.com Sat Jan 10 12:08:37 2015 07F452AC009F: client=4-3.2-1.cust.example.com[1.2.3.4], sasl_method=PLAIN, sasl_username=demo@example.com, recipient_count=1, curr_count=6/1000, status=UPDATE  $ grep ratelimit-policyd /var/log/syslog Jan 10 12:08:37 mx1 ratelimit-policyd[2552]: 07F452AC009F: client=4-3.2-1.cust.example.com[1.2.3.4], sasl_method=PLAIN, sasl_u

Configure sender rate limits to prevent spam, using cluebringer (policyd) with Postfix

This small how-to will show you how to configure cluebringer (aka policyd) to set a per-hour/per-user limit for sent mails. Note that sending to multiple recipient will count like multiple mails were sent.

This how-to is Debian-oriented but should apply to any unix operating system.

Requirements

A mail server with Postfix installed.

Installation

Install a DBMS (MySQL for instance), cluebringer, and cluebringer-webui :

apt-get install mysql-server cluebringer cluebringer-mysql cluebringer-webui

Note that cluebringer-webui will install apache as a dependency if you don’t already have a webserver.

Set-up the Cluebringer database

Get the initial database schema that correspond to your DBMS, for instance mysql :

cp /usr/share/doc/postfix-cluebringer/database/policyd-db.mysql.gz ~/ && gunzip ~/policyd-db.mysql.gz

Create the database, and populate it with the initial dump :

# cd  ~/ && mysql -u root -p mysql> CREATE DATABASE cluebringer; mysql> CREATE USER 'cluebringer'@'localhost' IDENTIFIED BY 'mypassword'; mysql> GRANT ALL PRIVILEGES ON cluebringer.* TO 'cluebringer'@'localhost'; mysql> \. policyd-db.mysql mysql> quit mysql> Bye

Note that on Debian I had to modify the dump to make it work, TYPE=InnoDB was rejected by MySQL as an invalid syntax.

Configure Cluebringer

Add your DBMS credentials to the file /etc/cluebringer/cluebringer.conf :

DSN=DBI:mysql:dbname=cluebringer;host=localhost  DB_Type=mysql DB_Host=localhost DB_Port=3306 DB_Name=cluebringer Username=cluebringer Password=mypassword

And start it :

service postfix-cluebringer start

Configure Cluebringer webui

Configure the file /etc/cluebringer/cluebringer-webui.conf with your DBMS credentials :

<?php  $DB_DSN="mysql:host=localhost;dbname=cluebringer"; $DB_USER="cluebringer"; $DB_PASS="mypassword";

Cluebringer Webui needs a web server to run. Copy the sample configuration from the package documentation :

cp /usr/share/doc/postfix-cluebringer-webui/examples/httpd/cluebringer-httpd.conf /etc/apache2/conf.d/

Restart Apache :

service apache2 restart

You may need to adjust a few things to access it from the outside. If you a really lazy, just make a ssh tunnel to access the webserver from localhost :

ssh -L 8008:localhost:80 mylogin@mymailserver

Don’t forget : you have to make this tunnel from the outside, do not run this command on server, it won’t work.

You should now be able to open http://localhost:8080/ and see your fresh new Cluebinger Webui !

Configure Cluebringer using its webui

Add a policy

Under Policies -> Main, disable Test policy (select policy and choose Action -> Change and switch Disabled to yes, validate)

Add a new policy : Action -> Add, give it a name and a description

Activate your new policy : select policy and choose Action -> Change (switch Disabled to no)

Add a new member to your policy : select it and choose Action -> Members, and then Action -> Add. Specify any as source and any as destination.

Go back to your policy, choose Action -> Members, and the select your member, do Action -> Change, and activate your new member (switch Disabled to no).

Add a quota

Under Quotas -> Configure, disable Test quotas.

Add a new quota : Choose Action -> Add

• • Name : whatever you want

  • Track : user@domain

  • Period (seconds) : 3600

  • Link to policy : specify the policy you created here

  • Verdict : Defer

  • Data : set a custom error message here

  • Comment : whatever you want

Activate your quota : switch Disabled to no.

Add a limit to your quota : select your quota, and choose Action -> Limits, then Action -> Add.

• • Type : MessageCount

  • Counter Limit : 200

Activate your limit : switch Disabled to no.

Configure Postfix to call Cluebringer for each mail sent

Open /etc/postfix/main.cf and locate the line smtpd_sender_restrictions.

Add check_policy_service inet:127.0.0.1:10031 at the end of the line, for instance :

smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_policy_service inet:127.0.0.1:10031

If the line does not exists, simply add it.

Don’t forget to restart Postfix :

service postfix restart

Check your config

You can now send some mails to see what happens. To check if these mails are passed to Cluebringer, connect to MySQL as the cluebringer user :

# mysql -u cluebringer -p cluebringer

And execute the query :

mysql> SELECT * FROM quotas_tracking;

You should see the value LastUpdate and Counter updating when sending a mail. Note that sending to multiple recipient will count like multiple mails were sent.

Pitfalls, bleeding edges, etc

Cluebringer versions prior to 2.1.x does not support IPv6, your customers won’t be able to send any mail if they have an IPv6 connection.

Unfortunately, the Debian stable version (wheezy) provides Cluebringer 2.0.10 within its repositories, as well as the experimental release of Debian (sid). As an alternative, you should consider installing the 2.1.x experimental Cluebringer from official website instead of Debian packages from repositories.

References

• Installing Policyd

• Configuring Policyd for Zimbra

• Debian, Cluebringer, IPv6

     ----------------------------