Rate-limiting emails sent from UWC

From MsgServerDocWiki

Rate-limiting emails sent from Messenger Express and Communications Express/UWC

Rate-limiting/throttling of email is usually based on the IP address on the email client. This allows messaging server administrators to limit their exposure to Denial of Service attacks from external email servers. When it comes to limiting emails from Messenger Express (ME) and Communications Express(CE)/UWC, all emails are 'seen' to come from a single IP address even though any number of different users may have sent them. Restricting based on IP address is therefore inappropriate as it offers insufficient granularity.

The introduction of the metermaid utility in Messaging Server 6.3 has provided the mechanism to restrict based on the original user who composed the email in the webmail interface.

These steps were verified on a 6.3 Messaging Server at patch level 120229-23 (Solaris Sparc x86).

NOTE: Metermaid is currently only able to collect and action on a per-MTA basis. Therefore sites that have a load-balanced pool of MTA servers for accepting ME and CE/UWC emails will not be able to restrict as precisely unless metermaid is configured to use a single metermaid server (which introduces a single-point-of-failure).

Contents 1 Isolate traffic from Messenger Express and Communications Express/UWC 2 Create metermaid configuration 3 Create mappings rules 4 Test & Debug 5 Enable rate-limiting at Communications Express/UWC level 6 Restrict access to new source channel 7 Advanced

[edit] Isolate traffic from Messenger Express and Communications Express/UWC

There are a number of advantages to isolating Messenger Express (ME) and Communications Express(CE)/UWC sourced email.

• easy to monitor and correlate ME and CE/UWC sourced email traffic. Emails submitted via ME and CE/UWC will have a source channel of tcp_webmail in the mail.log file.
• email submission not affected by standard traffic load. Delays which result from a massive number of emails being sent from other servers to port 25 will no-longer affect email submissions from ME and CE/UWC due to sharing the same single-threaded dispatcher port.
• change control. It is easy to swap back to the old settings just by changing the port that is used by webmail. This limits the impact the change has on your existing email delivery environment.
• custom restrictions. If you wanted to further restrict the number of recipients per email sent via ME and UWC/CE without impacting other clients such as Mozilla Thunderbird (which uses a different submission port), you could apply the restriction to just the new tcp_webmail source channel.

To isolate the traffic you need to create a new dispatcher listener on port 3025 and have connections to that port configured as the new source channel "tcp_webmail" e.g.:

• Add the following to dispatcher.cnf.

!
! UWC upload SMTP server
!
[SERVICE=SMTP_WEB]
PORT=3025
IMAGE=IMTA_BIN:tcp_smtp_server
LOGFILE=IMTA_LOG:tcp_webmail_server.log
PARAMETER=CHANNEL=tcp_webmail
STACKSIZE=2048000
! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate
! host IP (dotted quad) if the dispatcher needs to listen on a specific
! interface (e.g. in a HA environment).
!INTERFACE_ADDRESS=

• Create a new MTA channel by adding the following to imta.cnf

!
! tcp_webmail
tcp_webmail smtp missingrecipientpolicy 4
tcp_webmail-daemon

[edit] Create metermaid configuration

• Enable metermaid as per instructions in documentation

http://docs.sun.com/app/docs/doc/819-4428/gepql?l=en&a=view

e.g.

./configutil -o local.metermaid.enable -v yes
./configutil -o metermaid.config.secret -v password
./configutil -o metermaid.config.serverhost -v localhost
./start-msg metermaid

• Add a throttle table for metermaid

./configutil -o metermaid.table.webmail_msg_throttle.data_type -v string
./configutil -o metermaid.table.webmail_msg_throttle.quota -v 5
./configutil -o metermaid.table.webmail_msg_throttle.options -v nocase
./configutil -o metermaid.table.webmail_msg_throttle.quota_time -v 1800

The above table restricts email delivery to a rate of (5) emails every (1800) seconds.

[edit] Create mappings rules

• To block the number of emails by a given user, add the following to the mappings table:

FROM_ACCESS

! restrict number of emails sent per-user in uwc
! port-access-probe-info|app-info|submit-type|src-channel|from-address|auth-from
   *|SMTP*|*|tcp_webmail|*|*    $C$[IMTA_LIB:check_metermaid.so,throttle,webmail_msg_throttle,$3]\
$NExcessive$ email$ sent$ -$ Please$ try$ again$ later$E

• Recompile the MTA configuration and restart

./imsimta cnbuild; ./imsimta restart

[edit] Test & Debug

• Enable metermaid debug logging

./configutil -o logfile.metermaid.loglevel -v Debug
./stop-msg metermaid; ./start-msg metermaid

• Send a test email, ensure that it increments

Send test emails using email client such as Mozilla Thunderbird to the MTA on port 3025

[18/Oct/2007:09:27:07 +1000] meg [27419]: General Information: Log created (1192663627)
[18/Oct/2007:09:27:07 +1000] meg [27419]: General Notice: Creating table 
"webmail_msg_throttle" - type=throttle, data_type=string, storage=hash, max_entries=1000,
quota=5, quota_time=1800, options=nocase
[18/Oct/2007:09:27:07 +1000] meg [27419]: General Notice: MeterMaid build date: Aug  3
2007 17:13:42
[18/Oct/2007:09:27:07 +1000] meg [27419]: General Information: Binding to 0.0.0.0 on 
port 63837
[18/Oct/2007:09:27:07 +1000] meg [27419]: General Notice: Ready!
[18/Oct/2007:09:27:26 +1000] meg [27419]: General Information: (1) Connection accepted
from 127.0.0.1
[18/Oct/2007:09:27:26 +1000] meg [27419]: General Debug: (1) Received: "HELLO password" 
from client
[18/Oct/2007:09:27:26 +1000] meg [27419]: General Information: (1) Connection 
authenticated
[18/Oct/2007:09:27:26 +1000] meg [27419]: General Debug: (1) Sending: "+ Welcome!"
[18/Oct/2007:09:27:26 +1000] meg [27419]: General Debug: (1) Received: "CONNECT 
webmail_msg_throttle some.user@mydomain.com" from client
[18/Oct/2007:09:27:26 +1000] meg [27419]: General Debug: (1) command=CONNECT, 
table=webmail_msg_throttle, argument=blah
[18/Oct/2007:09:27:26 +1000] meg [27419]: General Information: (1) Current status for 
"some.user@mydomain.com" in webmail_msg_throttle: 1 / 5
[18/Oct/2007:09:27:26 +1000] meg [27419]: General Debug: (1) Sending: "+ OK"

[edit] Enable rate-limiting at Communications Express/UWC level

Enabling the rate-limiting is as simple as changing the port that CE/UWC interfaces use to uploads emails e.g.

./configutil -o service.http.smtpport -v 3025
./stop-msg http; ./start-msg http

To backout the change simple restore service.http.smtpport to the previous setting and restart the http daemon e.g.

./configutil -o service.http.smtpport -v 25
./stop-msg http; ./start-msg http

[edit] Restrict access to new source channel

Once you are happy that the rate-limiting is working as desired, it is advisable to restrict access to port 3025 to only hosts running the webmail server.

This can be achieved by adding a rule to the PORT_ACCESS mappings table e.g.

PORT_ACCESS 

! Restrict access to port 3025 to just webmail servers
! TCP|server-address|server-port|client-address|client-port
  TCP|*|3025|127.0.0.1|*                $Y
  TCP|*|3025|10.2.3.5|*                 $Y
  TCP|*|3025|*|*                        $N550$ Access$ denied$ to$ Webmail$ submission$ port

The above rule will reject any connections to port 3025 that do not come from localhost (127.0.0.1) and another webmail server with an IP address of 10.2.3.5.

[edit] Advanced

• Scaling the metermaid server

By default each metermaid table only holds 1,000 entries. If your environment is likely to have more then 1,000 senders in a given time period (quota_time), then scale the max_entries per-table parameter as appropriate. More information on this parameter is available in the manual:

http://docs.sun.com/app/docs/doc/819-4428/gdoqb?l=en&a=view

• Restricting based on recipients

This can be achieved by adding adding a mapping rule to the ORIG_SEND_ACCESS mappings table e.g.

ORIG_SEND_ACCESS

! restrict number of total recipients sent to by a user
! src-channel|from-address|dst-channel|to-address
  tcp_webmail|*|*|*            $C$[IMTA_LIB:check_metermaid.so,throttle,webmail_rcpt_throttle,$0]\
$NExcessive$ email$ sent$ -$ Please$ try$ again$ later$E

Add a new throttle table as well.

./configutil -o metermaid.table.webmail_rcpt_throttle.data_type -v string
./configutil -o metermaid.table.webmail_rcpt_throttle.quota -v 1000
./configutil -o metermaid.table.webmail_rcpt_throttle.options -v nocase
./configutil -o metermaid.table.webmail_rcpt_throttle.quota_time -v 600

The above table restricts email delivery to a rate of (1000) recipients total ever (600) seconds.

• Additional thoughts or ideas -- add them in here??