Throttling outgoing SMTP (port 25) connections?

dhatz

What would be the best practice to throttle outgoing SMTP (port 25) connections with pfsense?

The situation I'm trying to mitigate is when e.g. in a public hotspot, a guest's malware-infected PC starts sending out 1000s of spam mails. I wouldn't want to block port 25 completely, but as a compromise I choose to limit port 25 connections to a low number, e.g. 3/min.

With Linux iptables I might use directives like:
-p tcp –dport 25 --limit 3/min --limit-burst x
etc
This way, any port 25 connections beyond the limit of 3 per minute are dropped, but the port becomes available again very soon. And no other ports are affected.

pfsense offers advanced options with similar features (pf's max-src-conn-rate), but apparently adds "offending" IPs to the <virusprot>table, thus blocking those IPs entirely for all protocols, rather than effectively throttling port 25 only.</virusprot>

marcelloc

If you reduce the time that ip is blocked, it will work.

Install cron package to edit crontab and reduce the time that ip is blocked.

change virusprot crontab to:
*  *  *  *  *  root  /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 120 virusprot
and then set advanced options to your smtp rules.

when all set up, when ip reach the rate limit it will be 02 minutes blocked by the firewall.

It's not exactly you want, but works.