Applying a rate-limit to the number of e-mails a user can send within a given time period is crucial in preventing a hacked user from sending out thousands of spam messages unhindered. Very luckily, other e-mail servers also has ways to reject malicious e-mail—but we also need to do our part to limit the amount of spam coming from our users.
Postfix makes this process very easy. If you have already configured your postfix server to only allow authenticated users, then you just need to adjust a couple of more settings in your main.cf file.
The settings that control rate limiting are smtpd_client_message_rate_limit and anvil_rate_time_unit; if you can not find them in your /etc/postfix/main.cf file already, then you may go ahead and add them:
smtpd_client_message_rate_limit = 2 anvil_rate_time_unit = 60s
The above settings will allow a given user to send a maximum of two messages per minute. Note that the anvil_rate_time_unit setting is also used to control other timeouts. The postfix documentation mentioned that the default value is 60s—I basically only included it for conciseness.
Testing the configuration
It is important to test your configuration to get a "feel" of what is happening; in most cases you can easily test your configuration by starting out with extremely low limits.
In this case, a limit of two e-mails every sixty seconds is easy to test; simply go to your e-mail client, setup your e-mail account with your SMTP server, and then observe what happens when you try sending more than two e-mails within sixty seconds.
Of course, this assumes that you SMTP is capable of sending e-mail. Some hosting services will limit or prevent e-mail sending entirely on their IPs in order to avoid abuse; keep in mind, all it takes is a single compromised website with access to the systems mail function—and as history shows, popular CMS systems has been hacked numerous of times in the past.
Why you should rate-limit e-mail sending
In an ideal world, there would be no need to enforce limits. Users should generally be allowed to send as many e-mails as they want, as you do not know if a user has a valid reason to do so; an example would be, sending birthday party invitations in bulk, or managing a large newsletter.
However, e-mail servers—or just the individual users—do get hacked; even when you have everything configured correctly to only allow authenticated users, and even when you have configured fail2ban, an attacker might still be able to gain access.
This is where rate limiting comes in. Besides making sure that a user owns the "FROM" address they are sending e-mail from, we can also apply rate limiting to their outgoing mail. Rate limiting will prevent compromised users from sending limitless amounts of e-mail, and hopefully also prevent getting our SMTP server's IP address blacklisted.
What happens when a user is rate-limited
When a user reaches their e-mail sending limit, and they attempt to send another e-mail, it will simply be rejected by the server.
The user might see a message in their e-mail client informing them that their e-mail was rejected; such a message might look like this:
An error occurred while sending mail. The mail server responded: 450 4.7.1 Error: too much mail from xxx.xxx.xxx.xxx. Please verify that your email address is correct in your account settings and try again.
A user will need to wait until the e-mail sending limit is reset, and they will again be able to send e-mail.