RE: What does DKIM-based rate limiting do?

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Tue, 5 Jul 2011 11:11:30 -0700

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Gary Mills
> Sent: Tuesday, July 05, 2011 7:34 AM
> To: opendkim-users_at_lists.opendkim.org
> Subject: What does DKIM-based rate limiting do?
>
> When I examined opendkim-2.4.1, I noticed this configure option:
>
> --enable-rate_limit support for DKIM-based rate limiting
>
> What does this do exactly? We run j-chkmail solely to provide SMTP
> rate limiting. It maintains a database of all IP addresses used for
> client connections over a time interval, applying rate limiting to
> those that exceed configured values. Does Opendkim now do something
> similar?

It's experimental code included as a rudimentary hook to an unspecified domain-based reputation system, which is the obvious follow-on to DKIM. As such, it's still undocumented because it might change and might even be broken.

The concept: You provide a data set that maps domain names to integers, which represent daily flow limits for each domain. The data set is populated using a mechanism of your choosing. OpenDKIM maintains a temporary hash table mapping domain names to counts of messages bearing valid signatures from those domains, with the count resetting daily. If a single message would cause the stored count to exceed the integer for a domain name in the data set you provided, the message is temp-failed.

There's no guarantee this is a good or right solution to much of anything; it's merely an experimental hook. The other half of the experiment, which populates the data set containing the limits, is on a branch that hasn't been merged with the main code branches yet because I'm still tinkering with it when I have time to do so.

-MSK
Received on Tue Jul 05 2011 - 18:11:44 PST