Receiving Limits
The smtpd daemon can enforce a number of limits on incoming mail. The limits are configurable through several parameters in the main.cf file. You can limit the size of messages, the number of recipients for a single delivery, and the length of lines in a message. You can also limit the number of errors to allow from a single client before breaking off communications.
To limit the number of recipients for a single message, use the smtpd_recipient_limit parameter. The default is 1,000 recipients, and it should be adequate for normal operation.
The message_size_limit parameter limits the size of any message your system will accept. The default is 10 MB. If you have limited disk space or memory, you might want to lower the value. On the other hand, if your users commonly receive large attachments, you may have to increase it.
Increasingly frequent errors from the same client might indicate a problem or an attack. Postfix keeps a counter of errors, and handles potential problem clients by introducing delays with each error. The delays can help protect your system from misconfigured or malignant clients. As the number of errors increases so does the length of each delay. The length of the initial delay is specified by smtpd_error_sleep_time with a default of one second. After the number of errors exceeds the value set for smtpd_soft_error_limit, Postfix increases the delay by one second for every error, so that with each error, there is a slightly longer delay. Finally, when the error count hits the value set in smtpd_hard_error_limit, Postfix gives up on the client and disconnects.
If a malicious program connects to your mail server and sends garbage commands, attempting to crash your server, the bogus commands appear to Postfix as errors from a misbehaving client. Assume the following values for the delay parameters:
smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20
With these settings, Postfix initially waits one second (smtpd_error_sleep_time) after each error before responding to the client. After 10 (smtpd_soft_error_limit) such probes, Postfix starts increasing the length of each delay. After 11 errors, Postfix waits 11 seconds. After 12 errors, Postfix waits 12 seconds, and so on. Once the number of errors hits 20 (smtpd_hard_error_limit), Postfix disconnects, cutting off the malicious program. If the program connects again, it simply gets the same treatment each time it starts creating problems.