Opened 11 years ago
Last modified 8 years ago
#357 new enhancement
Rate-limit each mail sender
| Reported by: | adehnert | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Keywords: | opinionated | |
| Cc: |
Description
I think we've had a couple instances of a single sender hosing outgoing mail recently (for example, today's mail loop due to #356). It may actually be worth us implementing some form of modest rate-limiting --- 1 email per second per sender might be reasonable, for example. This seems like it might have made today's mail loop suck much less, without impacting (I suspect) any legitimate unbuggy users.
Thirty seconds of googling postfix rate limiting didn't find anything terribly hopeful, unfortunately.
Change History (3)
comment:1 Changed 9 years ago by adehnert
- Keywords opionated added
comment:2 Changed 9 years ago by quentin
We could also use MIT's default limit of 1000 recipients/day. At least that has a slightly higher chance of something the user will recognize?
I spent quite a while investigating the postfix policy options here; feel free to ping me if you want any details. I think the biggest challenge was to find a way to securely get the username (without having to read it from a potentially-forged header).
comment:3 Changed 8 years ago by andersk
- Keywords opinionated added; opionated removed
One related idea would be to, by default, limit each sender to, say, 100 messages. If they exceed that limit, we could queue their mail for three days, and let them request a higher limit in Pony, or something. (Potentially, we could email their contact address (#193) and let them know we're queueing their mail.) I suspect we could leverage http://www.postfix.org/SMTPD_POLICY_README.html to accomplish this.
See also #407, to disable outgoing port 25, which will result in our users more uniformly using our local Postfix.