Connkill utility

iref item="Utilities" subitem="connutil"/&#x3e; Terminate MTA connections coming from a specified IP address or authenticated using a specified account. The termination can be a one-time thing only affecting current connections matching the given criteria (the default), or it can be "sticky" and made to apply to future connections until a timeout value is reached. The termination request can also be applied to all dispatcher services (the default), or only to services whose names match a specified pattern.

Note: At present only SMTP services respond to the kill requests sent by this utility.

Syntax
imsimta connkill -ip=&#x3c;ip-address&#x3e; imsimta connkill -user=&#x3c;user&#x3e;

Restrictions
Must have superuser privileges, or be logged in as the MTA user (see the  option in  )  in order to use this utility.

Description
Compromised hosts and user accounts are a fact of life in modern email environments. Blocking connections from specific IP addresses and suspending user accounts, respectively, are the usual of dealing with these threats.

However, blocking future connections doesn&#x27;t affect currently active connections, which can continue to send mail until transaction limits are reached, connections time out, and so on.

It is therefore desirable to have some means of terminating active connections based on IP address or authentication state. The  utility provides this capability.

The command has two basic forms:



 The  switch is used to specify an IP address. In this case connections originating from this IP address are terminated. 

 The  switch is used to specify a user name of the form uid@domain. In this case connections that have authenticated to the account with the specified uid and in the specified domain are terminated. 



At least one of  and   are required, but they cannot be specified simultaneously. Both switches require an argument.

In both cases termination will occur the next time a command is read from the client.

Normally only current connections are affected - a subsequent connection from the specified IP address or authentication using the specified user will be allowed. The optional  switch can be used to change this behavior. If  is specified, subsequent connections or authentications will result in an immediate disconnect until the timeout in seconds specified by the   and   TCP/IP channel-specific options, respectively. The former defaults to twice the value of the  TCP/IP channel-specific option; the latter defaults to 600 seconds.

Kill requests are sent to all dispatcher services by default. The  switch can be used to specify which services requests are sent to. The required argument is a pattern the service name must match in order to receive the request.

See also:
 * restart utility
 * MTA command line utilities
 * KILLED_IP_TIMEOUT
 * KILLED_USER_TIMEOUT