TLS and connection rate limit

Hi,

is it possible to somehow control the connection rate limit depending
on whether STARTTLS could verify the client certificate?

I would like to set connection rate limit to a very low value (we are
heavily spammed/dossed). But I require accepting connections from a spec=
ial
dialup IP client (using dynamic IP addresses) without any connection =

control
(actually I require arriving emails in the order they are sent).
I hoped I could put something like:
CertIssuer:... OK
into the access map.
But it seems the connection rate limit still applies.
Any other way to circumvent connection control by other means than
IP adresses?
I'm using sendmail-8.13.5

Thanks,
Hans-Dieter

PS:
It was a hard work to get my sendmail server accepting the client (postf=
ix)
certificate as verified. I didn't get it working until I read the lines:=

> To authenticate the communication partner:
>1. Copy the communication partner's CA certificate into /etc/mail/certs=
..
> 2. Create a symbolic link of the communication partner's CA certificat=
e =

> hash.
> # C=3DFileName_of_CA_Certificate
> # ln -s $C `openssl x509 -noout -hash < $C`.0
on http://www.brandonhutchinson.com/Using_TLS_with_Sendmail.htm l (thanks=
!)
This seems to have fixed my problem, but I still have no idea why.
Especially because I'm using the same CA certificate on client and serve=
r
(I thought this should be sufficient).
Can anyone enlighten me?

-- =

Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Re: TLS and connection rate limit

On 05.12.2007 05:19, Hans-Dieter.Doll wrote (please find the answer below the original text):
> Hi,
>
> is it possible to somehow control the connection rate limit depending
> on whether STARTTLS could verify the client certificate?
>
> I would like to set connection rate limit to a very low value (we are
> heavily spammed/dossed). But I require accepting connections from a special
> dialup IP client (using dynamic IP addresses) without any connection
> control
> (actually I require arriving emails in the order they are sent).
> I hoped I could put something like:
> CertIssuer:... OK
> into the access map.
> But it seems the connection rate limit still applies.
> Any other way to circumvent connection control by other means than
> IP adresses?
> I'm using sendmail-8.13.5
>
> Thanks,
> Hans-Dieter
>
> PS:
> It was a hard work to get my sendmail server accepting the client (postfix)
> certificate as verified. I didn't get it working until I read the lines:
>> To authenticate the communication partner:
>> 1. Copy the communication partner's CA certificate into /etc/mail/certs.
>> 2. Create a symbolic link of the communication partner's CA
>> certificate hash.
>> # C=FileName_of_CA_Certificate
>> # ln -s $C `openssl x509 -noout -hash < $C`.0
> on http://www.brandonhutchinson.com/Using_TLS_with_Sendmail.htm l (thanks!)
> This seems to have fixed my problem, but I still have no idea why.
> Especially because I'm using the same CA certificate on client and server
> (I thought this should be sufficient).
> Can anyone enlighten me?
>

I have no idea if sendmail can do what you want
Best -and for me easiest- way to control incoming connections: (linux) netfilter
I dont know where I found it, but it works really good:

# IF_DSL is the interface where sendmail listens on
# accept from the dynamic IP-Address would need updates every time
# when IP-Adress changes...

# first time (netfilter init, remember the rule number):
iptables -I INPUT -i ${IF_DSL} -p tcp --dport 25 -s -j ACCEPT

# defense against "hammer attacks" on smtp port
# 1. mark packets as "recent"
iptables -I INPUT -i ${IF_DSL} -p tcp --dport 25 -m state --state NEW -m recent --set
# 2. drop packets marked "recent" if more then "hitcount in seconds"
iptables -I INPUT -i ${IF_DSL} -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 20 --hitcount 4 -j DROP


# netfilter updates (rule number needed)
iptables -R INPUT -i ${IF_DSL} -p tcp --dport 25 -s -j ACCEPT


-Ingo.