NAME
anvil - Postfix session count and request rate control
SYNOPSIS
anvil [generic Postfix daemon options]
DESCRIPTION
The Postfix anvil(8) server maintains statistics about client connection counts or client request rates. This information can be used to defend against clients that hammer a server with either too many simultaneous sessions, or with too many successive requests within a configurable time interval. This server is designed to run under control by the Postfix master(8) server.
In the following text, ident specifies a (service, client) combination. The exact syntax of that information is application-dependent; the anvil(8) server does not care.
CONNECTION COUNT/RATE CONTROL
To register a new connection send the following request to the anvil(8) server:
request=connect
ident=string
The anvil(8) server answers with the number of simultaneous connections and the number of connections per unit time for the (service, client) combination specified with ident:
status=0
count=number
rate=number
To register a disconnect event send the following request to the anvil(8) server:
request=disconnect
ident=string
The anvil(8) server replies with:
status=0
MESSAGE RATE CONTROL
To register a message delivery request send the following request to the anvil(8) server:
request=message
ident=string
The anvil(8) server answers with the number of message delivery requests per unit time for the (service, client) combination specified with ident:
status=0
rate=number
RECIPIENT RATE CONTROL
To register a recipient request send the following request to the anvil(8) server:
request=recipient
ident=string
The anvil(8) server answers with the number of recipient addresses per unit time for the (service, client) combination specified with ident:
status=0
rate=number
TLS SESSION NEGOTIATION RATE CONTROL
The features described in this section are available with Postfix 2.3 and later.To register a request for a new (i.e. not cached) TLS session send the following request to the anvil(8) server:
request=newtls
ident=string
The anvil(8) server answers with the number of new TLS session requests per unit time for the (service, client) combination specified with ident:
status=0
rate=number
To retrieve new TLS session request rate information without updating the counter information, send:
request=newtls_report
ident=string
The anvil(8) server answers with the number of new TLS session requests per unit time for the (service, client) combination specified with ident:
status=0
rate=number
SECURITY
The anvil(8) server does not talk to the network or to local users, and can run chrooted at fixed low privilege.
The anvil(8) server maintains an in-memory table with information about recent clients requests. No persistent state is kept because standard system library routines are not sufficiently robust for update-intensive applications.
Although the in-memory state is kept only temporarily, this may require a lot of memory on systems that handle connections from many remote clients. To reduce memory usage, reduce the time unit over which state is kept.
0 comments:
Post a Comment