Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

ANVIL(8)                                                              ANVIL(8)

NAME
       anvil - Postfix session count and request rate control

SYNOPSIS
       anvil [generic Postfix daemon options]

DESCRIPTION
       The  Postfix  anvil(8)  server  maintains statistics about
       client connection counts or  client  request  rates.  This
       information  can  be  used  to defend against clients that
       hammer a server with either  too  many  simultaneous  ses-
       sions,  or with too many successive requests within a con-
       figurable time interval.  This server is designed  to  run
       under control by the Postfix master(8) server.

       In the following text, ident specifies a (service, client)
       combination. The  exact  syntax  of  that  information  is
       application-dependent;  the anvil(8) server does not care.

CONNECTION COUNT/RATE CONTROL
       To register a new connection send the following request to
       the anvil(8) server:

           request=connect
           ident=string

       The  anvil(8) server answers with the number of simultane-
       ous connections and the number  of  connections  per  unit
       time  for the (service, client) combination specified with
       ident:

           status=0
           count=number
           rate=number

       To register a disconnect event send the following  request
       to the anvil(8) server:

           request=disconnect
           ident=string

       The anvil(8) server replies with:

           status=0

MESSAGE RATE CONTROL
       To  register a message delivery request send the following
       request to the anvil(8) server:

           request=message
           ident=string

       The anvil(8) server answers with  the  number  of  message
       delivery  requests per unit time for the (service, client)
       combination specified with ident:

           status=0
           rate=number

RECIPIENT RATE CONTROL
       To register a recipient request send the following request
       to the anvil(8) server:

           request=recipient
           ident=string

       The  anvil(8)  server answers with the number of recipient
       addresses per unit time for the (service, client) combina-
       tion specified with ident:

           status=0
           rate=number

TLS SESSION NEGOTIATION RATE CONTROL
       The  features described in this section are available with
       Postfix 2.3 and later.

       To register a request for a new (i.e. not cached) TLS ses-
       sion send the following request to the anvil(8) server:

           request=newtls
           ident=string

       The  anvil(8)  server  answers  with the number of new TLS
       session requests per unit time for the  (service,  client)
       combination specified with ident:

           status=0
           rate=number

       To retrieve new TLS session request rate information with-
       out updating the counter information, send:

           request=newtls_report
           ident=string

       The anvil(8) server answers with the  number  of  new  TLS
       session  requests  per unit time for the (service, client)
       combination specified with ident:

           status=0
           rate=number

SECURITY
       The anvil(8) server does not talk to  the  network  or  to
       local  users, and can run chrooted at fixed low privilege.

       The anvil(8) server  maintains  an  in-memory  table  with
       information  about recent clients requests.  No persistent
       state is kept because standard system library routines are
       not sufficiently robust for update-intensive applications.

       Although the in-memory state  is  kept  only  temporarily,
       this  may  require  a lot of memory on systems that handle
       connections from many remote clients.   To  reduce  memory
       usage, reduce the time unit over which state is kept.

DIAGNOSTICS
       Problems and transactions are logged to syslogd(8).

       Upon exit, and every anvil_status_update_time seconds, the
       server logs the maximal count and  rate  values  measured,
       together  with  (service, client) information and the time
       of day associated with those events.  In  order  to  avoid
       unnecessary  overhead, no measurements are done for activ-
       ity that isn't concurrency limited or rate limited.

BUGS
       Systems behind  network  address  translating  routers  or
       proxies appear to have the same client address and can run
       into connection count and/or rate limits falsely.

       In this preliminary implementation, a count (or rate) lim-
       ited  server can have only one remote client at a time. If
       a server reports multiple simultaneous  clients,  all  but
       the last reported client are ignored.

       The  anvil(8) server automatically discards client request
       information after it expires.   To  prevent  the  anvil(8)
       server from discarding client request rate information too
       early or too late, a rate limited  service  should  always
       register  connect/disconnect  events even when it does not
       explicitly limit them.

CONFIGURATION PARAMETERS
       On low-traffic mail systems, changes to main.cf are picked
       up automatically as anvil(8) processes run for only a lim-
       ited amount of time. On other mail systems, use  the  com-
       mand "postfix reload" to speed up a change.

       The  text  below  provides  only  a parameter summary. See
       postconf(5) for more details including examples.

       anvil_rate_time_unit (60s)
              The time unit over which  client  connection  rates
              and other rates are calculated.

       anvil_status_update_time (600s)
              How  frequently  the  anvil(8)  connection and rate
              limiting server logs peak usage information.

       config_directory (see 'postconf -d' output)
              The default location of  the  Postfix  main.cf  and
              master.cf configuration files.

       daemon_timeout (18000s)
              How  much time a Postfix daemon process may take to
              handle a request  before  it  is  terminated  by  a
              built-in watchdog timer.

       ipc_timeout (3600s)
              The time limit for sending or receiving information
              over an internal communication channel.

       max_idle (100s)
              The maximum amount of time  that  an  idle  Postfix
              daemon  process  waits for the next service request
              before exiting.

       max_use (100)
              The maximal number of connection requests before  a
              Postfix daemon process terminates.

       process_id (read-only)
              The  process  ID  of  a  Postfix  command or daemon
              process.

       process_name (read-only)
              The process name of a  Postfix  command  or  daemon
              process.

       syslog_facility (mail)
              The syslog facility of Postfix logging.

       syslog_name (postfix)
              The  mail  system  name  that  is  prepended to the
              process name in syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".

SEE ALSO
       smtpd(8), Postfix SMTP server
       postconf(5), configuration parameters
       master(5), generic daemon options

README FILES
       TUNING_README, performance tuning

LICENSE
       The Secure Mailer license must be  distributed  with  this
       software.

HISTORY
       The anvil service is available in Postfix 2.2 and later.

AUTHOR(S)
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

                                                                      ANVIL(8)