Submitted by Locutus on Sun, 01/26/2014 - 11:05
The new milter-greylist based email rate limiting is a great idea!
Considering the milter can do a lot more than what the Virtualmin GUI presently can configure, here's some suggestions:
- Per-email address limits
- Allow multiple limits per scope, e.g. "max. 50 per minute, max. 250 per hour..."
- A warning/reporting system, i.e. send a warning email to the admin when a limit is exceeded (so they can react quickly to a potentially hijacked account, or inform their customer)
- Configurable rejection messages
- Use a human-readable text instead of the domain ID in per-domain ratelimit entries for easier log evaluation
Submitted by JamieCameron on Mon, 01/27/2014 - 00:39 Comment #1
Thanks, those are some good ideas..
For the last suggestion, when is the domain ID visible to the user though?
Submitted by Locutus on Mon, 01/27/2014 - 03:24 Comment #2
You're right, the ID isn't immediately visible to the user right now.
When I was testing and looking for possible methods to be informed about rate limit exceeding, I saw in the mail.log that milter-greylist logs rate limit overflows with the domain ID:
Jan 26 17:25:36 australis milter-greylist: ratelimit overflow for class domain_128881656516654: 4, limit is 3 recipients / 60 sec, key = "10.0.0.1"
Here's a link to the milter's man page, with lots of stuff, in case you don't already have that handy. http://manpages.ubuntu.com/manpages/maverick/man5/greylist.conf.5.html
Maybe at some point we could even use the milter for its primary function: Greylisting? Would be nice (though not necessary of course) to have only one software for both greylisting and rate limiting, instead of using the milter AND Postgrey.
Submitted by JamieCameron on Mon, 01/27/2014 - 15:02 Comment #3
Ok - use of the ID in the logs is intentional, as it is consistent even if a domain is renamed, which would allow Virtualmin to scan the logs and correctly associate ratelimiting events with domains.
I agree that milter-greylist could also be used for greylisting, and you can set that up manually if you like. However, we already implemented greylisting using postgrey, so there isn't a pressing need to switch to another solution.
Submitted by Locutus on Mon, 01/27/2014 - 15:03 Comment #4
Roger, I agree with both your points!
Submitted by isdahlc on Tue, 12/04/2018 - 16:43 Pro Licensee Comment #5
I know this is almost 5 years old but would love to have per-user rate limiting. Works if I modify it manually but is of course overwritten on next form save. Is this on the horizon for a future update?