# Postfix connection limit

## lonegd

I have a postfix server that doesn't appear to be honoring the IP connection limit setting:-

```

/var/log/maillog

Jan 30 06:44:10 svr postfix/anvil[2638]: statistics: max connection count 51 for (smtp:x.x.x.x) at Jan 30 06:42:20

Jan 30 06:54:34 svr postfix/anvil[2638]: statistics: max connection rate 16/60s for (smtp:x.x.x.x) at Jan 30 06:47:06

Jan 30 06:55:34 svr postfix/anvil[2638]: statistics: max connection count 20 for (smtp:x.x.x.x) at Jan 30 06:46:58

/etc/postfix/main.cf

smtpd_client_connection_count_limit = 5

smtpd_client_event_limit_exceptions = 127.0.0.0/8

```

The source IP is in mynetworks so I had to add the smtpd_client_event_limit_exceptions.

As you can see above, rather than only five connections from the IP, it's going upto fifty one!   :Sad: 

Any idea's?

----------

## magic919

Isn't the 5 a concurrent limit and the Anvil stats are cumulative over time?

----------

## lonegd

 *magic919 wrote:*   

> Isn't the 5 a concurrent limit and the Anvil stats are cumulative over time?

 

Doesn't appear so as I have well over five connections from the IP.

It seems that the enforcement is being done by smtpd, so the IP can still connect to port 25 but then gets limited.

```

Jan 30 08:16:47 svr postfix/smtpd[5733]: warning: Connection concurrency limit exceeded: 88 from host.fqdn[x.x.x.x] for service smtp

```

This means only five connections from the IP can be sending mail, but clearly well over 50 are connecting and wasting system resources   :Sad: 

I guess I was hoping the the limit would mean the connection would not even be established.   :Confused: 

----------

## magic919

Hmm.  What about the bit where you added it to smtpd_client_event_limit_exceptions.  I just re-read your first post.  Doesn't that make it exempt from the restrictions.

 *Quote:*   

> 
> 
> smtpd_client_event_limit_exceptions (default: $mynetworks)
> 
>     Clients that are excluded from connection count, connection
> ...

 

----------

## lonegd

Yeah, wonderfully worded setting that gives completely the wrong impression

http://www.postfix.org/postconf.5.html#smtpd_client_event_limit_exceptions

```

Clients that are excluded from connection count, connection rate, or SMTP request rate restrictions. See the mynetworks parameter description for the parameter value syntax.

By default, clients in trusted networks are excluded. 

```

So, by specifically setting smtpd_client_event_limit_exceptions to just 127.0.0.0/8, it will not exclude the IP thats in $mynetworks from the connection limiting. Does that make sense?!?

----------

## magic919

My expectation is that or plain localhost should do the job of eliminating the rest of the world from exemption.  Postconf -d | exceptions before the change and with a -n after the change should confirm.  Hope that sorts it for you.

----------

