Connkill utility

From Messaging Server Technical Reference Wiki
Jump to: navigation, search

 iref item="Utilities" subitem="connutil"/>  

Terminate MTA connections coming from a specified IP address or authenticated using a specified account. The termination can be a one-time thing only affecting current connections matching the given criteria (the default), or it can be "sticky" and made to apply to future connections until a timeout value is reached. The termination request can also be applied to all dispatcher services (the default), or only to services whose names match a specified pattern.

Note: At present only SMTP services respond to the kill requests sent by this utility.


  imsimta connkill -ip=<ip-address>
  imsimta connkill -user=<user>

imsimta connkill Command Switches
Switch Default
-ip=ip-address n/a
-service=service-pattern -service=*
-sticky -nosticky
-user=uid@domain n/a


Must have superuser privileges, or be logged in as the MTA user (see the user option in restricted.cnf) in order to use this utility.


Compromised hosts and user accounts are a fact of life in modern email environments. Blocking connections from specific IP addresses and suspending user accounts, respectively, are the usual of dealing with these threats.

However, blocking future connections doesn't affect currently active connections, which can continue to send mail until transaction limits are reached, connections time out, and so on.

It is therefore desirable to have some means of terminating active connections based on IP address or authentication state. The imsimta connkill utility provides this capability.

The command has two basic forms:

  • The -ip switch is used to specify an IP address. In this case connections originating from this IP address are terminated.
  • The -user switch is used to specify a user name of the form uid@domain. In this case connections that have authenticated to the account with the specified uid and in the specified domain are terminated.

At least one of -ip and -user are required, but they cannot be specified simultaneously. Both switches require an argument.

In both cases termination will occur the next time a command is read from the client.

Normally only current connections are affected - a subsequent connection from the specified IP address or authentication using the specified user will be allowed. The optional -sticky switch can be used to change this behavior. If -sticky is specified, subsequent connections or authentications will result in an immediate disconnect until the timeout in seconds specified by the KILLED_IP_TIMEOUT and KILLED_USER_TIMEOUT TCP/IP channel-specific options, respectively. The former defaults to twice the value of the COMMAND_RECEIVE_TIME TCP/IP channel-specific option; the latter defaults to 600 seconds.

Kill requests are sent to all dispatcher services by default. The -service switch can be used to specify which services requests are sent to. The required argument is a pattern the service name must match in order to receive the request.

See also: