-
-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] RateLimit is not working by expecting. #4467
Comments
I'm seeing the same behavior on the Rspamd instances we updated to 3.5. Going back to 3.4.x and flushing the rate limit redis entries helped returning to normal operations. Also seems to me this issue in mailcow is related |
Same issue here via Mailcow. After reverting to rspamd 3.4 it works fine again (so far at least). @vstakhov can you please have a look at this? If you need info from me, please let me know (See the mailcow thread as well). Thank you for all the continued hard efforts that you make, it's appreciated! |
I just do not understand the issue tbh. Is it related to the |
For what it's worth, this occurred on a mailcow account that does not have whitelist_ip selected, it appears that indeed a bucket is not drained, I saw a sudden increase around the 11th of may (when I upgraded the local install that included rspamd 3.5) and then gradually continued. There was no release of the ratelimit, it kept on going.
those are the settings that mailcow uses, nothing fancy. where the lua file contains:
|
I removed my comment regarding |
Ok, I think the reason is that |
Or no, this symbol has all guards against it: |
I am still having issues. E-mails are being send from our webmail client, using an IP that I have included in the The log.
My ratelimit.conf:
And my ip-whitelist.map:
And the entry from Redis.
|
You cannot define per rule whitelist maps, they are defined globally for this module. The main question is why It is increased here: https://github.com/rspamd/rspamd/blob/master/lualib/redis_scripts/ratelimit_check.lua#L69 when a message is started to be scanned. It is decreased here: https://github.com/rspamd/rspamd/blob/master/lualib/redis_scripts/ratelimit_update.lua#L78 So if this postfilter is not called, we are in real troubles. But this postfilter must be called in all cases: https://github.com/rspamd/rspamd/blob/master/src/plugins/lua/reputation.lua#L1332 |
So normally |
@vstakhov I read previous comments and am unsure if my question is relevant. I understood the problem is |
i also reverted back to old rspamd version because i had the described issue and also my prefilter didnt work anymore. I had a whitelist with prefilter to completly whitelist a IP, after the update ratelimit wasnt included in the prefilter whitelist anymore and i had to use the whitelist from the ratelimit module. Might have something todo with the not working ratelimit but not sure |
I'm not sure it is Rspamd bug, as all reports are likely from Mailcow users. I also see no way how |
I'm sorry, but I cannot parse this sentence. |
what i tried to say that prefilter as described here https://rspamd.com/doc/modules/multimap.html#pre-filter-maps is not whitelisting the ratelimit module anymore |
I'm sorry, but what do you mean by "whitelisting ratelimit by multimap"? If that's what I think about, it has never worked as you could expect. It might work merely by occasion, and it is not an issue. For disabling symbols, you can use many methods: settings, custom Lua code, conditions etc. Multimap is not a proper tool for this task. |
i understand your point and i dont disagree, would just point out that it worked perfectly since years until now |
@vstakhov I don't use Mailcow. I use only Rspamd with Postfix in my configuration. I have only this problem, which I wrote here #4467 (comment) with this simple configuration. |
For what it is worth, my whitelist problem was indeed resolved by defining the |
Hi, I discovered this ratelimit issue after upgrading two standalone rspamd (not related to mailcow) from 3.4.x to 3.5.x. Looks to me that there was a change somewhere in 3.5.x which affected how ratelimit behave, at least with our config. While googling around I found out that mailcow users were having the same kind of issues when their rspamd container was Nothing really special in our config, except a ratelimit whitelist based on authenticated user names.
Kind regards |
Ok, I think I know the reason now: it is again about short-curcuit rules indeed. I have added one more workaround to really clean the pending bucket. |
In my opinion still exist problem with ratelimit module. Basically what happen to us is as follows:
This work flawless for a while (could be something like 1 or 2 days) and then suddently the mail of @customerdomain.com does not enter any longer on their selector Checking on the log i see (debug module on for ratelimit) something like this:
where seems that suddenly the limit to check change suddently from the correct on, to the default one. We use rspamd 3.6.2 |
Independent ratelimits are not evaluated in any particular order (not reliably so anyway), the selector for the catch-all limit should exclude things that are to be handled elsewhere. That could be improved on but it's an unrelated concern to the matter reported in this issue. |
thank you. as a matter of coincidence (a wrong answer on another forum) and a casualty choice of our rules selection that guide me on thinking on top-down approach. |
Prerequisites
Describe the bug
When I will reach the "burst" border in ratelimit.conf ratelimit doesn't set a rate, only block send e-mails then expire burst counter. The default "expiry" is set to 2 days, but when I put "expiry" to 1h, this setting is not accepting.
Steps to Reproduce
And e-mail client says, "Ratelimit user exceeded." Now I have to wait two days to expire the counter or delete RL* from Redis DB.
Expected behavior
Versions
The text was updated successfully, but these errors were encountered: