Sendmail Installation and Operation Guide
SMM:08-31
-- that is, the message is queued iff:
pri >
QueueFactor
LA
-
QueueLA
+
1
The QueueFactor option defaults to 600000, so each point of load average is worth 600000 priority
points (as described above).
For drastic cases, the RefuseLA (X) option defines a load average at which sendmail will
refuse to accept network connections. Locally generated mail, i.e., mail which is not submitted via
SMTP (including incoming UUCP mail), is still accepted. Notice that the MSP submits mail to the
MTA via SMTP, and hence mail will be queued in the client queue in such a case. Therefore it is
necessary to run the client mail queue periodically.
4.5. Resource Limits
Sendmail has several parameters to control resource usage. Besides those mentionted in the
previous section, there are at least
MaxDaemonChildren
,
ConnectionRateThrottle
,
MaxQueueChildren
, and MaxRunnersPerQueue. The latter two limit the number of sendmail
processes that operate on the queue. These are discussed in the section ``Queue Group Declara-
tion''. The former two can be used to limit the number of incoming connections. Their appropriate
values depend on the host operating system and the hardware, e.g., amount of memory. In many sit-
uations it might be useful to set limits to prevent to have too many sendmail processes, however,
these limits can be abused to mount a denial of service attack. For example, if MaxDaemonChil-
dren=10
then an attacker needs to open only 10 SMTP sessions to the server, leave them idle for
most of the time, and no more connections will be accepted. If this option is set then the timeouts
used in a SMTP session should be lowered from their default values to their minimum values as
specified in RFC 2821 and listed in section 4.1.2.
4.6. Measures against Denial of Service Attacks
Sendmail has some built-in measures against simple denial of service (DoS) attacks. The
SMTP server by default slows down if too many bad commands are issued or if some commands
are repeated too often within a session. Details can be found in the source file sendmail/srvrsmtp.c
by looking for the macro definitions of MAXBADCOMMANDS, MAXNOOPCOMMANDS,
MAXHELOCOMMANDS
, MAXVRFYCOMMANDS, and MAXETRNCOMMANDS. If an
SMTP command is issued more often than the corresponding MAXcmdCOMMANDS value, then
the response is delayed exponentially, starting with a sleep time of one second, up to a maximum of
four minutes (as defined by MAXTIMEOUT). If the option MaxDaemonChildren is set to a
value greater than zero, then this could make a DoS attack even worse since it keeps a connection
open longer than necessary. Therefore a connection is terminated with a 421 SMTP reply code if
the number of commands exceeds the limit by a factor of two and MAXBADCOMMANDS is set
to a value greater than zero (the default is 25).
4.7. Delivery Mode
There are a number of delivery modes that sendmail can operate in, set by the DeliveryMode
(d) configuration option. These modes specify how quickly mail will be delivered. Legal modes
are:
i
deliver interactively (synchronously)
b
deliver in background (asynchronously)
q
queue only (don't deliver)
d
defer delivery attempts (don't deliver)
There are tradeoffs. Mode "i" gives the sender the quickest feedback, but may slow down some
mailers and is hardly ever necessary. Mode "b" delivers promptly but can cause large numbers of
processes if you have a mailer that takes a long time to deliver a message. Mode "q" minimizes the