Email ???

Steve Friedman steve at adsi-m4.com
Tue May 1 13:41:13 UTC 2007


On Tue, 1 May 2007, Tim wrote:

> On Mon, 2007-04-30 at 12:40 -0400, Steve Friedman wrote:
>> The general consensus on the postfix mailing idea is that Greet Pause is a
>> bad idea (TM).  What it ends up doing is (a) delay legitimate mail and (b)
>> DoS your own server as you now take longer to handle legitimate mail.  Any
>> mail source that would fail greet pause will also fail numerous other
>> checks that don't inconvenience your intended users (and your own system).
>
> How does it work?  If it pauses the current connection with that server,
> independently of any other system trying to send you mail, then only one
> thing at a time gets delayed, so it shouldn't be a DOS.  But if sendmail
> pauses completely while one thing talks to it, and won't do anything
> else until that task is completed, yes, I see potential problems.
>

It's a DoS because the system can have only a finite number of sockets 
open (this is both a kernel limit and a postfix tuning parameter limit), 
and greet pause ties them up doing nothing for a period of time.  Recall 
that postfix is written to support many operating systems and not all OSs 
(especially the older ones, e.g., linux 2.4) support epoll (enabling 
greater than 1024 elements in the select()).  Consequently, on an active 
server, legitimate connections will be denied because of a lack of an 
available socket and thus you've denied service to a legit user.

Steve




More information about the fedora-list mailing list