Bypass Exim Ratelimit

We have a mailing list with more than 5,000 subscribers on our site.

By now Exim is configured with low ratelimit options. For most cases, they work well, but there are exceptions.

How is it possible to bypass/whitelist the ratelimit for certain domains / email addresses?
It would also be great to add this feature to the Hestia panel.

Adjust the exim conf to whatever rate you need:

1 Like

Adjusted already. But these settings apply globally. For one domain, we need more than 1500 / 1h, but for the rest, this is a very high limit and reduces the security of the mail server.

Probaly possible to adjust the config to trigger for just a specific domain, currently there is not enough dev hours available to integrate a per domain limit.

1 Like

We are planing for an update in the future to allow it however it is currently not possible without manually edtiting…

2 Likes

I did not find information how to configure per domain (by editing exim config). Any suggested links?

Perhaps this can help you:

3 Likes

Great! Will try it today!

Until HestiaCP supports this feature, you can use the solution offered at

3 Likes

Guys, thanks a lot! I am very glad to receive so many useful comments and attention to the issue.

I’m copying here a relevant discussion that took place at Virtualmin CP forums about a year ago:

Limit Outoing SMTP Connections per Domain

eugenevdm.host
Dec '20

We use Virtualmin for shared hosting sometimes 100s of domains and 1000s of mailboxes.

Occasionally one user’s computer is compromised and then their email client sends out 1000s of SPAM messages. By the time we’ve mitigated the damage our IP is blacklisted causing every other client on the server grief and we loose business at times due to cancellations if delisting takes too long. We have postfix SNMP queue monitors in place but one hour can make a world of difference so if this happens on 3AM on a Sunday morning we are screwed.

How can I restrict per domain, how much each user can send?

WHM/Cpanel has a number of setting to control this, each domain has these two configurable settings:

  1. Maximum Hourly Email by Domain Relayed.
  2. Maximum percentage of failed or deferred messages a domain may send per hour.

These settings are incredibly useful because the second option means you easily catch spammers who use incorrect addresses. Both these setting notifies the server operator as well.

Basically we need something the same for Virtualmin. This is all that’s holding us back redeploying numerous WHM/cPanel servers onto Virtualmin instead.

I’ve researched the old forums and I here and I don’t see any tips at all. Just trying to take it forward a bit.

alex.iarna
Dec '20

My 2 cents on this, after having the “3AM on a Sunday morning” thingy few years ago,

Beside the rate limiting, I also set an automated alert for “Mail Queue Size” bigger than ~50 messages and I add the “postfix stop” as additional command if that monitor goes down. Then I have the postfix connection monitored from outside every 5 minutes, so I get notified quickly if the postfix is stopped.

That works because email processing is usually fast enough for legitimate email that the queue never gets too big - except when someone gets hacked and spam gets deferred so it “accumulates” in the queue, moment when I want to have the postfix halted to avoid IP damage and I can look into the queue to know what account exactly causes the problem. Then I reset password to that account, delete the spam from queue, start postfix and everybody’s happy. Even the client with locked mailbox appreciates when he/she gets to know about the spam problem before causing more harm to others.

Using this I have 1 to 3 such events per year per server (~100 domains each server), but never got an IP blacklisted in the last 3-4 years.

Source: Limit Outoing SMTP Connections per Domain - #7 by calport - Virtualmin - Virtualmin Community

IMHO putting a mail-server online without an outbound mail ratelimit policy is asking for trouble.

2 Likes

I would love to see the rate limits implemented.

When you get banned the only thing that you can do is deliver via Amazon ses after catching the spamming account until you get your IP out of the blacklists.

It is already implemented. But there is no way to configure limits, except to edit the config and set a global limit for all domains.

have a look here: Bypass Exim Ratelimit - #9 by kpv

Will be implemented with one of the next releases.

It has not been implemented in Hestia yet so unless you want to do it manually there are no ways to add support for it …

How can we help to get it released earlier?

Testing :slight_smile:

So how can I test that branch. If it is fairly safe, I could deploy in production.

Or shall I manually apply the changes to test if it works as expected.

basicly “beta testing” under https://github.com/hestiacp/hestiacp/blob/main/CONTRIBUTING.md#ways-to-contribute, switch to the branch and test if all works properly.

But the brach for rate limit is missing the upgrade script…

2 Likes