Re: rate limiting popa3d

On Fri, Sep 26, 2008 at 11:35:25AM +0200, Wouter Callewaert wrote:
> Lately, our popa3d based pop server suffers from people checking their
> mail every 5 seconds. 
> Is there a way to rate limit pop checking (based on username / time
> period for example) with popa3d or should I use a proxy pop3 server for
> this?

You can achieve similar rate limiting, per source IP address rather than
per username, using the MAX_SESSIONS_PER_SOURCE and MIN_DELAY settings
in popa3d's params.h.  These only have effect when running popa3d as a
standalone server, not via inetd.  popa3d assumes that sessions are
"active" for at least MIN_DELAY seconds for the purpose of counting the
number of "simultaneous" sessions.  The default settings of
MAX_SESSIONS_PER_SOURCE = 50 and MIN_DELAY = 10 are quite relaxed,
allowing, in theory, for up to 5 sessions per second, on average, to be
started from the same source address.  (Since some of the sessions will
likely have non-negligible duration, only a smaller number of sessions
per second, on average, will be allowed in practice.)  You can try
changing these settings to, say, MAX_SESSIONS_PER_SOURCE = 5 and
MIN_DELAY = 120, which won't allow sessions to be started more often
than 5 in 120 seconds (2 minutes).

Unfortunately, I am not aware of equivalent functionality in an inetd
clone.  xinetd's per_source and cps settings get quite close, but they
are not quite it because they are applied independently of each other.
Thus, when cps kicks in, the entire service is affected, for all source
addresses, which is usually undesirable.  A workaround would be to use
per_source only and to artificially extend the process' lifetime by
starting popa3d via a wrapper script that would "sleep" for a second
when popa3d terminates - but that wastes memory.  If you choose to do