Exim: rate limiting/notquit ACL

[phatrik]

Hi,

Trying to get a better understanding of two things:

- In a default cPanel config, how many "notquit" events does it take for a host to be blocked
- What does Exim consider to be "authenticated hosts" ?



I'm looking into an issue where I noticed a single notquit event (outgoing e-mail by a user who logged in) recorded in the mainlog and for the following hr (a bit more than 1hr actually) e-mails originating from the subject host were blocked, as evidenced by the exim_rejectlog. The message specifically referred to the "CONNECT" ACL.


When I look at smpt_acl_notquit (/etc/exim.conf), it looks like 1.2 such messages per hour (a message with a notquit event) could be tolerated. I only found one in the logs. I'm not sure what .2 of an e-mail message would look like, but again, I only found one such event in the logs. Why was this host rate limited after only one such event?


Reviewing the notquit ACL, it seems like "authenticated hosts" should go through without any problems. After doing a bit of research on this subject, I came across a comment stating "for Exim to consider a host to be authenticated, it must both authenticate AND send using submission port 587". Is that accurate? In other words, even if a host authenticates, the fact it goes over port 25 Exim considers it "unauthenticated" and will subject the connection to the notquit rate limit?




TIA

 

[cPanelMichael]

Hello

Ratelimits are averaged by Exim over time. More information on how this occurs is available at:

Exim - Ratelimiting

An authenticated host could come from port 25 from what I understand.

Thank you.

 

[phatrik]

Hi,

Thank you for pointing out that link. Before writing the post, I already understandood, at least at a high level, what 1.2/1 represented [(m)essage = 1.2 divided by (p)eriod of 1h) So 1.2 messages for every hour. The thing is, I was only able to find a single "notquit" event in the entire log file for that IP address. What I'm struggling to understand is how a single event would amount to >1 and trigger the temporary block. Shouldn't there be more than one notquit event within the hour before the IP is blocked (temp)?


If someone could address the specific question in bold I would appreciate. Keeping with questions about acl_smtp_connect:



acl_smtp_connect looks like this:

acl_smtp_connect (most comments/whitespace between blocks of line taken out to save space)


and a test session initiated with "exim -bh 198.164.4.1" looks like this:


http://pastebin.com/zcgk6DBk


I've already determined each condition is tested in order as it appears within the ACL list by running "exim -bh <RANDOMIP>". It also seems like as soon as a condition tests true, the following conditions aren't tested. I came to this conclusion based on the fact that, there are more conditions to be tested beyond the one found on line12 (first pastebin URL), however none of them show up in the output of "exim -bh", as a condition is found to be true (first pastebin URL line 12) before those are reached. Based on the output of the above session, I'm trying to confirm a few conclusions I made and have some questions:


1). Considering the first several statements are all accepts, including line 12, it seems like as long as someone connects over port 25, the client will never fail the "acl_smtp_quit". Is this correct?

2) What if the client connects on submission port (587) and authenticates? My current (admittedly, likely incorrect) understanding of this ACL means those clients would be rate limited because they chose port 587 instead of 25, regardless if they're authenticated clients? 1.2 messages per hour doesn't sound much. I know for a fact some clients using the e-mail server are sending much more.

3). condition = $(if eq {$interface_port}{25}{no}{yes}

The part in bold makes sense to me. It's essentially saying "the condition tested against is whether or not the connection was made over port 25". What I don't understand is, why the two answers? One answer is the desired result (i.e.: does the test fail or succeed, in other words was the connection made over the defined port 25) but what condition is the second answer testing?