-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.515 2007/06/19 14:41:31 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.516 2007/06/20 14:13:39 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
PH/08 Added -Mvc to output a copy of a message in RFC 2822 format.
+PH/09 Tidied the code for creating ratelimiting keys, creating them explicitly
+ (without spaces) instead of just copying the configuration text.
+
+PH/10 Added the /noupdate option to the ratelimit ACL condition.
+
Exim version 4.67
-----------------
-$Cambridge: exim/doc/doc-txt/NewStuff,v 1.150 2007/06/19 14:41:31 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/NewStuff,v 1.151 2007/06/20 14:13:39 ph10 Exp $
New Features in Exim
--------------------
message to the standard output, in RFC 2822 format. The option can be used
only by an admin user.
+ 5. There is now a /noupdate option for the ratelimit ACL condition. It
+ computes the rate and checks the limit as normal, but it does not update
+ the saved data. This means that, in relevant ACLs, it is possible to lookup
+ the existence of a specified (or auto-generated) ratelimit key without
+ incrementing the ratelimit counter for that key.
+
+ In order for this to be useful, another ACL entry must set the rate
+ for the same key somewhere (otherwise it will always be zero).
+
+ Example:
+
+ acl_check_connect:
+ # Read the rate; if it doesn't exist or is below the maximum
+ # we update it below
+ deny ratelimit = 100 / 5m / strict / noupdate
+ log_message = RATE: $sender_rate / $sender_rate_period \
+ (max $sender_rate_limit)
+
+ [... some other logic and tests...]
+
+ warn ratelimit = 100 / 5m / strict / per_cmd
+ log_message = RATE UPDATE: $sender_rate / $sender_rate_period \
+ (max $sender_rate_limit)
+ condition = ${if le{$sender_rate}{$sender_rate_limit}}
+
+ accept
+
Version 4.67
------------
-$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.77 2007/06/14 14:18:19 ph10 Exp $
+$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.78 2007/06/20 14:13:39 ph10 Exp $
EXIM ACKNOWLEDGEMENTS
Philip Hazel
Lists created: 20 November 2002
-Last updated: 14 June 2007
+Last updated: 20 June 2007
THE OLD LIST
Patch for ${dlfunc
Patch for $message_linecount
... and many more
+Graeme Fowler Suggested patch for /noupdate with ratelimit
Ian Freislich Patch for spamd timeout problem
Giuliano Gavazzi Patches for OSX compilation
Dominic Germain Patch for exiqgrep MacOS X bug
-/* $Cambridge: exim/src/src/acl.c,v 1.76 2007/06/19 13:32:06 ph10 Exp $ */
+/* $Cambridge: exim/src/src/acl.c,v 1.77 2007/06/20 14:13:39 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
{
double limit, period;
-uschar *ss, *key;
+uschar *ss;
+uschar *key = NULL;
int sep = '/';
-BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
+BOOL leaky = FALSE, strict = FALSE, noupdate = FALSE;
BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
int old_pool, rc;
tree_node **anchor, *t;
return ERROR;
}
-/* We use the rest of the argument list following the limit as the
-lookup key, because it doesn't make sense to use the same stored data
-if the period or options are different. */
-
-key = arg;
-
/* Second is the rate measurement period and exponential smoothing time
constant. This must be strictly greater than zero, because zero leads to
run-time division errors. */
{
if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
+ else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
- else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
+ else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
+ else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
- else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
- else have_key = TRUE;
+ else key = string_sprintf("%s", ss);
}
+
if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
{
*log_msgptr = US"conflicting options for \"ratelimit\" condition";
}
/* Default option values */
+
if (!strict) leaky = TRUE;
if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
-/* If there is no explicit key, use the sender_host_address. If there is no
-sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
+/* Create the lookup key. If there is no explicit key, use sender_host_address.
+If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
+omit it. The smoothing constant (sender_rate_period) and the per_xxx options
+are added to the key because they alter the meaning of the stored data. */
-if (!have_key && sender_host_address != NULL)
- key = string_sprintf("%s / %s", key, sender_host_address);
+if (key == NULL)
+ key = (sender_host_address == NULL)? US"" : sender_host_address;
+
+key = string_sprintf("%s/%s/%s/%s",
+ sender_rate_period,
+ per_byte? US"per_byte" :
+ per_cmd? US"per_cmd" :
+ per_mail? US"per_mail" : US"per_conn",
+ strict? US"strict" : US"leaky",
+ key);
HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
limit, period, key);
-/* See if we have already computed the rate by looking in the relevant tree. For
-per-connection rate limiting, store tree nodes and dbdata in the permanent pool
-so that they survive across resets. */
+/* See if we have already computed the rate by looking in the relevant tree.
+For per-connection rate limiting, store tree nodes and dbdata in the permanent
+pool so that they survive across resets. */
anchor = NULL;
old_pool = store_pool;
{
dbd = t->data.ptr;
/* The following few lines duplicate some of the code below. */
- if (dbd->rate < limit) rc = FAIL;
- else rc = OK;
+ rc = (dbd->rate < limit)? FAIL : OK;
store_pool = old_pool;
sender_rate = string_sprintf("%.1f", dbd->rate);
HDEBUG(D_acl)
}
/* We aren't using a pre-computed rate, so get a previously recorded
-rate from the database, update it, and write it back. If there's no
-previous rate for this key, create one. */
+rate from the database, update it, and write it back when required. If there's
+no previous rate for this key, create one. */
dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
if (dbm == NULL)
the initial rate of 0.0) when the rate limit is zero (i.e. the client should
be completely blocked). */
-if (dbd->rate < limit) rc = FAIL;
- else rc = OK;
+rc = (dbd->rate < limit)? FAIL : OK;
/* Update the state if the rate is low or if we are being strict. If we
are in leaky mode and the sender's rate is too high, we do not update
the recorded rate in order to avoid an over-aggressive sender's retry
-rate preventing them from getting any email through. */
+rate preventing them from getting any email through. If noupdate is set,
+do not do any updates. */
-if (rc == FAIL || !leaky)
+if ((rc == FAIL || !leaky) && !noupdate)
+ {
dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
+ HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
+ }
+else
+ {
+ HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
+ noupdate? "noupdate set" : "over the limit, but leaky");
+ }
+
dbfn_close(dbm);
/* Store the result in the tree for future reference, if necessary. */
-if (anchor != NULL)
+if (anchor != NULL && !noupdate)
{
t = store_get(sizeof(tree_node) + Ustrlen(key));
t->data.ptr = dbd;
RRATELIMIT=0/1h/strict
DRATELIMIT=0/1h/per_byte/strict
+ACLRCPT=check_rcpt
exim_path = EXIM_PATH
host_lookup_order = bydns
# ----- Main settings -----
-acl_smtp_rcpt = check_rcpt
+acl_smtp_rcpt = ACLRCPT
acl_smtp_data = check_data
qualify_domain = test.ex
sender_rate_period=$sender_rate_period
accept
+check_rcpt2:
+ warn ratelimit = RRATELIMIT/noupdate
+ log_message = RCPT2-1: \
+ sender_rate=$sender_rate \
+ sender_rate_limit=$sender_rate_limit \
+ sender_rate_period=$sender_rate_period
+
+ warn ratelimit = RRATELIMIT
+ log_message = RCPT2-2: \
+ sender_rate=$sender_rate \
+ sender_rate_limit=$sender_rate_limit \
+ sender_rate_period=$sender_rate_period
+
+ accept
+
check_data:
warn ratelimit = DRATELIMIT
log_message = DATA: \
.
quit
****
+exim -bh V4NET.9.8.6 -DRRATELIMIT=1/1m/per_rcpt -DACLRCPT=check_rcpt2
+ehlo test.ex
+mail from:<>
+rcpt to:<a@b>
+rcpt to:<b@c>
+data
+Here is some data.
+.
+quit
+****
>>> using ACL "check_rcpt"
>>> processing "warn"
>>> check ratelimit = 0/1h/strict
->>> ratelimit condition limit=0 period=3600 key=1h/strict / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_mail/strict/V4NET.9.8.7
>>> ratelimit initializing new key's data
+>>> ratelimit db updated
>>> ratelimit computed rate 0.0
>>> warn: condition test succeeded
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=0.0 sender_rate_limit=0 sender_rate_period=1h
>>> using ACL "check_data"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_byte/strict
->>> ratelimit condition limit=0 period=3600 key=1h/per_byte/strict / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_byte/strict/V4NET.9.8.7
>>> ratelimit initializing new key's data
+>>> ratelimit db updated
>>> ratelimit computed rate 0.0
>>> warn: condition test succeeded
LOG: 10HmaX-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=0.0 sender_rate_limit=0 sender_rate_period=1h
>>> using ACL "check_rcpt"
>>> processing "warn"
>>> check ratelimit = 0/1h/strict
->>> ratelimit condition limit=0 period=3600 key=1h/strict / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_mail/strict/V4NET.9.8.7
+>>> ratelimit db updated
>>> ratelimit computed rate 1.0
>>> warn: condition test succeeded
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h
>>> using ACL "check_data"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_byte/strict
->>> ratelimit condition limit=0 period=3600 key=1h/per_byte/strict / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_byte/strict/V4NET.9.8.7
+>>> ratelimit db updated
>>> ratelimit computed rate 19.0
>>> warn: condition test succeeded
LOG: 10HmaY-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=19.0 sender_rate_limit=0 sender_rate_period=1h
>>> using ACL "check_rcpt"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_conn/strict
->>> ratelimit condition limit=0 period=3600 key=1h/per_conn/strict / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_conn/strict/V4NET.9.8.7
>>> ratelimit initializing new key's data
+>>> ratelimit db updated
>>> ratelimit computed rate 0.0
>>> warn: condition test succeeded
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=0.0 sender_rate_limit=0 sender_rate_period=1h
>>> using ACL "check_data"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_conn/strict
->>> ratelimit condition limit=0 period=3600 key=1h/per_conn/strict / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_conn/strict/V4NET.9.8.7
>>> ratelimit found pre-computed rate 0.0
>>> warn: condition test succeeded
LOG: 10HmaZ-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=0.0 sender_rate_limit=0 sender_rate_period=1h
>>> using ACL "check_rcpt"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_conn/strict
->>> ratelimit condition limit=0 period=3600 key=1h/per_conn/strict / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_conn/strict/V4NET.9.8.7
+>>> ratelimit db updated
>>> ratelimit computed rate 1.0
>>> warn: condition test succeeded
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h
>>> using ACL "check_data"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_conn/strict
->>> ratelimit condition limit=0 period=3600 key=1h/per_conn/strict / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_conn/strict/V4NET.9.8.7
>>> ratelimit found pre-computed rate 1.0
>>> warn: condition test succeeded
LOG: 10HmbA-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=1.0 sender_rate_limit=0 sender_rate_period=1h
>>> using ACL "check_rcpt"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_rcpt
->>> ratelimit condition limit=0 period=3600 key=1h/per_rcpt / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_cmd/leaky/V4NET.9.8.7
>>> ratelimit initializing new key's data
+>>> ratelimit db not updated: over the limit, but leaky
>>> ratelimit computed rate 0.0
>>> warn: condition test succeeded
LOG: H=(test.ex) [V4NET.9.8.7] Warning: RCPT: sender_rate=0.0 sender_rate_limit=0 sender_rate_period=1h
>>> using ACL "check_rcpt"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_rcpt
->>> ratelimit condition limit=0 period=3600 key=1h/per_rcpt / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_cmd/leaky/V4NET.9.8.7
>>> ratelimit initializing new key's data
+>>> ratelimit db not updated: over the limit, but leaky
>>> ratelimit computed rate 0.0
>>> warn: condition test succeeded
>>> processing "accept"
>>> using ACL "check_rcpt"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_rcpt
->>> ratelimit condition limit=0 period=3600 key=1h/per_rcpt / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_cmd/leaky/V4NET.9.8.7
>>> ratelimit initializing new key's data
+>>> ratelimit db not updated: over the limit, but leaky
>>> ratelimit computed rate 0.0
>>> warn: condition test succeeded
>>> processing "accept"
>>> using ACL "check_data"
>>> processing "warn"
>>> check ratelimit = 0/1h/per_conn
->>> ratelimit condition limit=0 period=3600 key=1h/per_conn / V4NET.9.8.7
+>>> ratelimit condition limit=0 period=3600 key=1h/per_conn/leaky/V4NET.9.8.7
>>> ratelimit initializing new key's data
+>>> ratelimit db not updated: over the limit, but leaky
>>> ratelimit computed rate 0.0
>>> warn: condition test succeeded
LOG: 10HmbB-0005vi-00 H=(test.ex) [V4NET.9.8.7] Warning: DATA: sender_rate=0.0 sender_rate_limit=0 sender_rate_period=1h
>>> processing "deny"
>>> deny: condition test succeeded
LOG: 10HmbB-0005vi-00 H=(test.ex) [V4NET.9.8.7] F=<> rejected after DATA
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
+>>> test.ex in helo_lookup_domains? no (end of list)
+>>> host in pipelining_advertise_hosts? yes (matched "*")
+>>> using ACL "check_rcpt2"
+>>> processing "warn"
+>>> check ratelimit = 1/1m/per_rcpt/noupdate
+>>> ratelimit condition limit=1 period=60 key=1m/per_cmd/leaky/V4NET.9.8.6
+>>> ratelimit initializing new key's data
+>>> ratelimit db not updated: noupdate set
+>>> ratelimit computed rate 0.0
+>>> warn: condition test failed
+>>> processing "warn"
+>>> check ratelimit = 1/1m/per_rcpt
+>>> ratelimit condition limit=1 period=60 key=1m/per_cmd/leaky/V4NET.9.8.6
+>>> ratelimit initializing new key's data
+>>> ratelimit db updated
+>>> ratelimit computed rate 0.0
+>>> warn: condition test failed
+>>> processing "accept"
+>>> accept: condition test succeeded
+>>> using ACL "check_rcpt2"
+>>> processing "warn"
+>>> check ratelimit = 1/1m/per_rcpt/noupdate
+>>> ratelimit condition limit=1 period=60 key=1m/per_cmd/leaky/V4NET.9.8.6
+>>> ratelimit db not updated: noupdate set
+>>> ratelimit computed rate 1.0
+>>> warn: condition test failed
+>>> processing "warn"
+>>> check ratelimit = 1/1m/per_rcpt
+>>> ratelimit condition limit=1 period=60 key=1m/per_cmd/leaky/V4NET.9.8.6
+>>> ratelimit db updated
+>>> ratelimit computed rate 1.0
+>>> warn: condition test failed
+>>> processing "accept"
+>>> accept: condition test succeeded
+>>> host in ignore_fromline_hosts? no (option unset)
+>>> using ACL "check_data"
+>>> processing "warn"
+>>> check ratelimit = 0/1h/per_byte/strict
+>>> ratelimit condition limit=0 period=3600 key=1h/per_byte/strict/V4NET.9.8.6
+>>> ratelimit initializing new key's data
+>>> ratelimit db updated
+>>> ratelimit computed rate 0.0
+>>> warn: condition test succeeded
+LOG: 10HmbC-0005vi-00 H=(test.ex) [V4NET.9.8.6] Warning: DATA: sender_rate=0.0 sender_rate_limit=0 sender_rate_period=1h
+>>> processing "deny"
+>>> deny: condition test succeeded
+LOG: 10HmbC-0005vi-00 H=(test.ex) [V4NET.9.8.6] F=<> rejected after DATA
354 Enter message, ending with "." on a line by itself\r
550 Administrative prohibition\r
221 myhost.test.ex closing connection\r
+
+**** SMTP testing session as if from host V4NET.9.8.6
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello test.ex [V4NET.9.8.6]\r
+250-SIZE 52428800\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+550 Administrative prohibition\r
+221 myhost.test.ex closing connection\r