From owner-freebsd-isp  Sat Dec 12 23:45:48 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA26796
          for freebsd-isp-outgoing; Sat, 12 Dec 1998 23:45:48 -0800 (PST)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from velvet.sensation.net.au (serial0-velvet.Brunswick.sensation.net.au [203.20.114.195])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA26784
          for <freebsd-isp@FreeBSD.ORG>; Sat, 12 Dec 1998 23:45:42 -0800 (PST)
          (envelope-from rowan@sensation.net.au)
Received: from localhost (rowan@localhost)
	by velvet.sensation.net.au (8.8.8/8.8.8) with SMTP id SAA05962;
	Sun, 13 Dec 1998 18:43:52 +1100 (EST)
	(envelope-from rowan@sensation.net.au)
X-Authentication-Warning: velvet.sensation.net.au: rowan owned process doing -bs
Date: Sun, 13 Dec 1998 18:43:50 +1100 (EST)
From: Rowan Crowe <rowan@sensation.net.au>
To: Dean Hollister <dean@odyssey.apana.org.au>
cc: freebsd-isp@FreeBSD.ORG
Subject: Re: sendmail morons
In-Reply-To: <Pine.BSF.4.05.9812131529240.4741-100000@odyssey.apana.org.au>
Message-ID: <Pine.BSF.4.01.9812131835450.4706-100000@velvet.sensation.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 13 Dec 1998, Dean Hollister wrote:

> > If it's a machine performance issue then you could try limiting the number
              ^^^^^^^^^^^^^^^^^^^^^^^^^
> > of children:
> > 
> > # maximum number of children we allow at one time
> > O MaxDaemonChildren=30
> > 
> > If it's for a major mail server then I would _not_ recommend this, as once
> > the limit is reached all connections to port 25 will be refused. I had a
> > play with this the other day when someone decided to forward 150Mb+ of
> > their email from work to their home account, and it was severely loading
> > the system.
> 
> I would *not* recommend this. It would be better to configure the child
> process to exit if the IP is in its db. I vaguely recall something at
> www.sendmail.org about it.

Note that I specified "machine performance issue". I'd rather have my
server have an absolute known limit where it no longer accepts new
connections rather than a steady decline as more and more sendmail
processes appear with each new connection. Seeing a machine run out of
swap space is not fun. ;\

This absolute limit could also be of use in something like a SYN flood
attack. (Note that limiting to 30 is probably _way_ too low, that's just
something I've started with. Still experimenting).

Also, adding in IPs requires periodic review of the database by a human.

Cheers.


--
Rowan Crowe                     Sensation Internet Services, Melbourne Aust
fidonet: 3:635/728                                          +61-3-9388-9260
http://www.rowan.sensation.net.au/             http://www.sensation.net.au/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message