1 Topic by jung

  • jung
  • Member
  • Offline
  • Registered: 2020-01-08
  • Posts: 98

Topic: Throttle is not working

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.4
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version: ubuntu 22.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx):nginx
- Manage mail accounts with iRedAdmin-Pro? free
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Dear iRedmail community,

I configured throttle to limit 1 user from sending 3 messages within 1 minute, what i did was :
-enabled throttle in iredapd (iredapd version 5.3)
-insert into throttle (account, kind, period, priority, max_msgs, msg_size) values ('emailaddress@domain.com', outbound, 60, 255, 3, 0);
-check_policy_service inet:127.0.0.1:7777  was added just after smtpd_sender_restrictions and smtpd_recipient_restrictions
-restarted mysql, iredapd, nginx and postfix

throttle did not stop me from sending 5 messages or more within 1 minute.

your advice is highly appreciated. Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,704

Re: Throttle is not working

You should enable iredapd in smtpd_end_of_data_restrictions and smtpd_recipient_restrictions. For example:

smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_recipient_restrictions = reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient check_recipient_access pcre:/etc/postfix/recipient_access.pcre check_recipient_access pcre:/opt/iredmail/custom/postfix/recipient_access.pcre check_policy_service inet:127.0.0.1:7777 permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:12340

3 Reply by jung (edited by jung 2026-06-16 21:26:44)

  • jung
  • Member
  • Offline
  • Registered: 2020-01-08
  • Posts: 98

Re: Throttle is not working

ZhangHuangbin wrote:

You should enable iredapd in smtpd_end_of_data_restrictions and smtpd_recipient_restrictions. For example:

smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_recipient_restrictions = reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient check_recipient_access pcre:/etc/postfix/recipient_access.pcre check_recipient_access pcre:/opt/iredmail/custom/postfix/recipient_access.pcre check_policy_service inet:127.0.0.1:7777 permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:12340

Dear Zhang,

- smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777 -  is already in main.cf by default.

i added the below entry under (smtpd_recipient_restrictions)
-reject_unlisted_recipient check_recipient_access         
      pcre:/etc/postfix/recipient_access.pcre
-check_recipient_access pcre:/opt/iredmail/custom/postfix/recipient_access.pcre
-reject_unauth_destination check_policy_service inet:127.0.0.1:12340

after restarting the iredapd, nginx, mysql and postfix then login and start sending 4 messages in 1 minute and throttle let me sent 4 message within a minute

please see below /etc/postfix/main.cf
smtpd_sender_restrictions =
    #ADDED JUNE 16, 2026
    check_policy_service inet:127.0.0.1:7777
    #TILL HERE
    permit_mynetworks
    permit_sasl_authenticated
    #ADDED JUNE 15, 2026 FOR THROTTLE
    reject_unauth_destination
    #check_policy_service inet:127.0.0.1:7777
    #TILL HERE
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    # To check outgoing messages
    #Added August 28, 2023
    # add entry in /etc/postfix/internal_clients_filter - check
    #check_client_access cidr:/etc/postfix/internal_clients_filter
    ##
    reject_non_fqdn_sender
    reject_unlisted_sender
    #Added August 28, 2023
    reject_unknown_sender_domain
    reject_sender_login_mismatch
    reject_unknown_reverse_client_hostname
    reject_unknown_client_hostname

# Recipient restrictions
smtpd_recipient_restrictions =
    #ADDED JUNE 16, 2026
    check_policy_service inet:127.0.0.1:7777
    #TILL HERE
    #orig entry (when disabled and enable the permit_mynetworks and permit_sasl_authenticated below - i am not able to send email)
    permit_mynetworks
    permit_sasl_authenticated
    #TILL HERE
    reject_non_fqdn_recipient
    #ADDED JUNE 16, 2026
    reject_unknown_recipient_domain
    check_recipient_access pcre:/etc/postfix/recipient_access.pcre
    check_recipient_access pcre:/opt/iredmail/custom/postfix/recipient_access.pcre
    #TILL HERE
    reject_unlisted_recipient
    reject_unauth_destination
    #Added August 28, 2023
    reject_invalid_hostname
    #reject_unknown_recipient_domain
    reject_unauth_pipelining
    #Added Augst 29, 2023
    reject_non_fqdn_recipient
    reject_non_fqdn_sender
    #reject_unKown_sender_domain
    #ADDED JUNE 16, 2026
    #permit_mynetworks
    #permit_sasl_authenticated
    #TILL HERE
    check_policy_service inet:127.0.0.1:12340
    #Added December 1, 2024
    reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
    reject_rbl_client b.barracudacentral.org=127.0.0.2

# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,704

Re: Throttle is not working

1: Your setting is a mess.
2: Do not add it in smtpd_sender_restrictions.
3: I suggest restore smtpd_recipient_restrictions to the one in my first reply. If your server was not deployed with iRedMail Easy or iRedMail Enterprise Edition, please remove the rules with "/opt/iredmail/custom/..." path.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,704

Re: Throttle is not working

WARNING: The order of restriction rules matter a lot, you cannot simply add rule 1 / 2 / 3 randomly. Postfix applies the rule one by one, you should understand what the rule is used for and when you should apply it.

6 Reply by jung

  • jung
  • Member
  • Offline
  • Registered: 2020-01-08
  • Posts: 98

Re: Throttle is not working

Dear Zhang,

smtpd_sender_restrictions =
    #ADDED JUNE 16, 2026
    check_policy_service inet:127.0.0.1:7777 - ***this i deleted already***
    #TILL HERE
    permit_mynetworks
    permit_sasl_authenticated
    #ADDED JUNE 15, 2026 FOR THROTTLE
    reject_unauth_destination
    #check_policy_service inet:127.0.0.1:7777
    #TILL HERE
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    # To check outgoing messages
    #Added August 28, 2023
    # add entry in /etc/postfix/internal_clients_filter - check
    #check_client_access cidr:/etc/postfix/internal_clients_filter
    ##
    reject_non_fqdn_sender
    reject_unlisted_sender
    #Added August 28, 2023
    reject_unknown_sender_domain
    reject_sender_login_mismatch
    reject_unknown_reverse_client_hostname
    reject_unknown_client_hostname

# Recipient restrictions
smtpd_recipient_restrictions =
    #ADDED JUNE 16, 2026
    check_policy_service inet:127.0.0.1:7777
    #TILL HERE
    #orig entry (when disabled and enable the permit_mynetworks and permit_sasl_authenticated below - i am not able to send email)
    permit_mynetworks
    permit_sasl_authenticated
    #TILL HERE
    reject_non_fqdn_recipient
    #ADDED JUNE 16, 2026
    reject_unknown_recipient_domain
    check_recipient_access pcre:/etc/postfix/recipient_access.pcre
    check_recipient_access pcre:/opt/iredmail/custom/postfix/recipient_access.pcre
    #TILL HERE
    reject_unlisted_recipient
    reject_unauth_destination
    #Added August 28, 2023
    reject_invalid_hostname
    #reject_unknown_recipient_domain
    reject_unauth_pipelining
    #Added Augst 29, 2023
    reject_non_fqdn_recipient
    reject_non_fqdn_sender
    #reject_unKown_sender_domain
    #ADDED JUNE 16, 2026
    #permit_mynetworks                ***   if it is enabled, i cannot sent message***
    #permit_sasl_authenticated      ***if it is enabled, i cannot send message***
    #TILL HERE
    check_policy_service inet:127.0.0.1:12340
    #Added December 1, 2024
    reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
    reject_rbl_client b.barracudacentral.org=127.0.0.2

# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777


note: if the permit_mynetworks and permit_sasl_authentication is enabled in the middle part of the configuration located in the "ADDED JUNE 16, 2026". I am not able to send email

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,704

Re: Throttle is not working

Cannot help more if you insist in your own config.

8 Reply by jung

  • jung
  • Member
  • Offline
  • Registered: 2020-01-08
  • Posts: 98

Re: Throttle is not working

Dear Zhang,

Please find below part of the main.cf content and please help me arrange into correct sequence.

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
   
# Sender restrictions
smtpd_sender_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    reject_non_fqdn_sender
    reject_unlisted_sender
    reject_unknown_sender_domain
    reject_sender_login_mismatch
    reject_unknown_reverse_client_hostname
    reject_unknown_client_hostname

# Recipient restrictions
smtpd_recipient_restrictions =
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    reject_unauth_destination
    reject_invalid_hostname
    reject_unauth_pipelining
    reject_non_fqdn_recipient
    reject_non_fqdn_sender
    check_policy_service inet:127.0.0.1:12340
    reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
    reject_rbl_client b.barracudacentral.org=127.0.0.2

# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining

Zhang your support is highly appreciated in order for me to make throttle work. the working throttle is very important to block compromized account from sending too much spam that will trigger gmail, yahoo,and any other mail domain from blocking our capability to send messages.

I am not insisting my configuration. please help. thanks