NAME

anvil - Postfix session count and request rate control

SYNOPSIS


aannvviill [generic Postfix daemon options]

DESCRIPTION

The Postfix aannvviill(8) server maintains statistics about client connection counts or client request rates. This information can be used to defend against clients that hammer a server with either too many simultaneous sessions, or with too many successive requests within a configurable time interval. This server is designed to run under control by the Postfix mmaasstteerr(8) server.

In the following text, iiddeenntt specifies a (service, client) combination. The exact syntax of that information is application-dependent; the aannvviill(8) server does not care.

CONNECTION COUNT/RATE CONTROL



To register a new connection send the following request to
the aannvviill(8) server:
        


    rreeqquueesstt==ccoonnnneecctt
    iiddeenntt==_s_t_r_i_n_g

The aannvviill(8) server answers with the number of simultaneous connections and the number of connections per unit time for the (service, client) combination specified with iiddeenntt:


    ssttaattuuss==00
    ccoouunntt==_n_u_m_b_e_r
    rraattee==_n_u_m_b_e_r

To register a disconnect event send the following request to the aannvviill(8) server:


    rreeqquueesstt==ddiissccoonnnneecctt
    iiddeenntt==_s_t_r_i_n_g

The aannvviill(8) server replies with:


    ssttaattuuss==00

MESSAGE RATE CONTROL



To register a message delivery request send the following
request to the aannvviill(8) server:
        


    rreeqquueesstt==mmeessssaaggee
    iiddeenntt==_s_t_r_i_n_g

The aannvviill(8) server answers with the number of message delivery requests per unit time for the (service, client) combination specified with iiddeenntt:


    ssttaattuuss==00
    rraattee==_n_u_m_b_e_r

RECIPIENT RATE CONTROL



To register a recipient request send the following request
to the aannvviill(8) server:
        


    rreeqquueesstt==rreecciippiieenntt
    iiddeenntt==_s_t_r_i_n_g

The aannvviill(8) server answers with the number of recipient addresses per unit time for the (service, client) combination specified with iiddeenntt:


    ssttaattuuss==00
    rraattee==_n_u_m_b_e_r

TLS SESSION NEGOTIATION RATE CONTROL



The features described in this section are available with
Postfix 2.3 and later.
        

To register a request for a new (i.e. not cached) TLS session send the following request to the aannvviill(8) server:


    rreeqquueesstt==nneewwttllss
    iiddeenntt==_s_t_r_i_n_g

The aannvviill(8) server answers with the number of new TLS session requests per unit time for the (service, client) combination specified with iiddeenntt:


    ssttaattuuss==00
    rraattee==_n_u_m_b_e_r

To retrieve new TLS session request rate information without updating the counter information, send:


    rreeqquueesstt==nneewwttllss__rreeppoorrtt
    iiddeenntt==_s_t_r_i_n_g

The aannvviill(8) server answers with the number of new TLS session requests per unit time for the (service, client) combination specified with iiddeenntt:


    ssttaattuuss==00
    rraattee==_n_u_m_b_e_r

SECURITY



The aannvviill(8) server does not talk to the network or to local
users, and can run chrooted at fixed low privilege.
        

The aannvviill(8) server maintains an in-memory table with information about recent clients requests. No persistent state is kept because standard system library routines are not sufficiently robust for update-intensive applications.

Although the in-memory state is kept only temporarily, this may require a lot of memory on systems that handle connections from many remote clients. To reduce memory usage, reduce the time unit over which state is kept.

DIAGNOSTICS

Problems and transactions are logged to ssyyssllooggdd(8).

Upon exit, and every aannvviill__ssttaattuuss__uuppddaattee__ttiimmee seconds, the server logs the maximal count and rate values measured, together with (service, client) information and the time of day associated with those events. In order to avoid unnecessary overhead, no measurements are done for activity that isn't concurrency limited or rate limited.

BUGS

Systems behind network address translating routers or proxies appear to have the same client address and can run into connection count and/or rate limits falsely.

In this preliminary implementation, a count (or rate) limited server process can have only one remote client at a time. If a server process reports multiple simultaneous clients, state is kept only for the last reported client.

The aannvviill(8) server automatically discards client request information after it expires. To prevent the aannvviill(8) server from discarding client request rate information too early or too late, a rate limited service should always register connect/disconnect events even when it does not explicitly limit them.

CONFIGURATION PARAMETERS



On low-traffic mail systems, changes to mmaaiinn..ccff are
picked up automatically as aannvviill(8) processes run for
only a limited amount of time. On other mail systems, use
the command "ppoossttffiixx rreellooaadd" to speed up a change.
        

The text below provides only a parameter summary. See ppoossttccoonnff(5) for more details including examples.

aannvviill__rraattee__ttiimmee__uunniitt ((6600ss)) The time unit over which client connection rates and other rates
are calculated.
aannvviill__ssttaattuuss__uuppddaattee__ttiimmee ((660000ss)) How frequently the aannvviill(8) connection and rate limiting server
logs peak usage information.
ccoonnffiigg__ddiirreeccttoorryy ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt)) The default location of the Postfix main.cf and master.cf
configuration files.
ddaaeemmoonn__ttiimmeeoouutt ((1188000000ss)) How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
iippcc__ttiimmeeoouutt ((33660000ss)) The time limit for sending or receiving information over an internal
communication channel.
mmaaxx__iiddllee ((110000ss)) The maximum amount of time that an idle Postfix daemon process waits
for an incoming connection before terminating voluntarily.
mmaaxx__uussee ((110000)) The maximal number of incoming connections that a Postfix daemon
process will service before terminating voluntarily.
pprroocceessss__iidd ((rreeaadd--oonnllyy)) The process ID of a Postfix command or daemon process.
pprroocceessss__nnaammee ((rreeaadd--oonnllyy)) The process name of a Postfix command or daemon process.
ssyysslloogg__ffaacciilliittyy ((mmaaiill)) The syslog facility of Postfix logging.
ssyysslloogg__nnaammee ((sseeee ''ppoossttccoonnff --dd'' oouuttppuutt)) The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".

SEE ALSO


smtpd(8), Postfix SMTP server
postconf(5), configuration parameters
master(5), generic daemon options

README FILES



Use "ppoossttccoonnff rreeaaddmmee__ddiirreeccttoorryy" or
"ppoossttccoonnff hhttmmll__ddiirreeccttoorryy" to locate this information.

TUNING_README, performance tuning

LICENSE



The Secure Mailer license must be distributed with this software.

HISTORY



The anvil service is available in Postfix 2.2 and later.

AUTHOR(S)


Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA