ANVIL(8)                                                              ANVIL(8)

NAME
       anvil - Postfix session count and request rate control

SYNOPSIS
       anvil [generic Postfix daemon options]

DESCRIPTION
       The  Postfix  anvil(8)  server  maintains statistics about
       client connection counts or  client  request  rates.  This
       information  can  be  used  to defend against clients that
       hammer a server with either  too  many  simultaneous  ses-
       sions,  or with too many successive requests within a con-
       figurable time interval.  This server is designed  to  run
       under control by the Postfix master(8) server.

       In the following text, ident specifies a (service, client)
       combination. The  exact  syntax  of  that  information  is
       application-dependent;  the anvil(8) server does not care.

CONNECTION COUNT/RATE CONTROL
       To register a new connection send the following request to
       the anvil(8) server:

           request=connect
           ident=string

       The  anvil(8) server answers with the number of simultane-
       ous connections and the number  of  connections  per  unit
       time  for the (service, client) combination specified with
       ident:

           status=0
           count=number
           rate=number

       To register a disconnect event send the following  request
       to the anvil(8) server:

           request=disconnect
           ident=string

       The anvil(8) server replies with:

           status=0

MESSAGE RATE CONTROL
       To  register a message delivery request send the following
       request to the anvil(8) server:

           request=message
           ident=string

       The anvil(8) server answers with  the  number  of  message
       delivery  requests per unit time for the (service, client)
       combination specified with ident:

           status=0
           rate=number

RECIPIENT RATE CONTROL
       To register a recipient request send the following request
       to the anvil(8) server:

           request=recipient
           ident=string

       The  anvil(8)  server answers with the number of recipient
       addresses per unit time for the (service, client) combina-
       tion specified with ident:

           status=0
           rate=number

TLS SESSION NEGOTIATION RATE CONTROL
       The  features described in this section are available with
       Postfix 2.3 and later.

       To register a request for a new (i.e. not cached) TLS ses-
       sion send the following request to the anvil(8) server:

           request=newtls
           ident=string

       The  anvil(8)  server  answers  with the number of new TLS
       session requests per unit time for the  (service,  client)
       combination specified with ident:

           status=0
           rate=number

       To retrieve new TLS session request rate information with-
       out updating the counter information, send:

           request=newtls_report
           ident=string

       The anvil(8) server answers with the  number  of  new  TLS
       session  requests  per unit time for the (service, client)
       combination specified with ident:

           status=0
           rate=number

SECURITY
       The anvil(8) server does not talk to  the  network  or  to
       local  users, and can run chrooted at fixed low privilege.

       The anvil(8) server  maintains  an  in-memory  table  with
       information  about recent clients requests.  No persistent
       state is kept because standard system library routines are
       not sufficiently robust for update-intensive applications.

       Although the in-memory state  is  kept  only  temporarily,
       this  may  require  a lot of memory on systems that handle
       connections from many remote clients.   To  reduce  memory
       usage, reduce the time unit over which state is kept.

DIAGNOSTICS
       Problems and transactions are logged to syslogd(8).

       Upon exit, and every anvil_status_update_time seconds, the
       server logs the maximal count and  rate  values  measured,
       together  with  (service, client) information and the time
       of day associated with those events.  In  order  to  avoid
       unnecessary  overhead, no measurements are done for activ-
       ity that isn't concurrency limited or rate limited.

BUGS
       Systems behind  network  address  translating  routers  or
       proxies appear to have the same client address and can run
       into connection count and/or rate limits falsely.

       In this preliminary implementation, a count (or rate) lim-
       ited  server  process can have only one remote client at a
       time. If a server process  reports  multiple  simultaneous
       clients,  state is kept only for the last reported client.

       The anvil(8) server automatically discards client  request
       information  after  it  expires.   To prevent the anvil(8)
       server from discarding client request rate information too
       early  or  too  late, a rate limited service should always
       register connect/disconnect events even when it  does  not
       explicitly limit them.

CONFIGURATION PARAMETERS
       On low-traffic mail systems, changes to main.cf are picked
       up automatically as anvil(8) processes run for only a lim-
       ited  amount  of time. On other mail systems, use the com-
       mand "postfix reload" to speed up a change.

       The text below provides  only  a  parameter  summary.  See
       postconf(5) for more details including examples.

       anvil_rate_time_unit (60s)
              The  time  unit  over which client connection rates
              and other rates are calculated.

       anvil_status_update_time (600s)
              How frequently the  anvil(8)  connection  and  rate
              limiting server logs peak usage information.

       config_directory (see 'postconf -d' output)
              The  default  location  of  the Postfix main.cf and
              master.cf configuration files.

       daemon_timeout (18000s)
              How much time a Postfix daemon process may take  to
              handle  a  request  before  it  is  terminated by a
              built-in watchdog timer.

       ipc_timeout (3600s)
              The time limit for sending or receiving information
              over an internal communication channel.

       max_idle (100s)
              The  maximum  amount  of  time that an idle Postfix
              daemon process waits  for  an  incoming  connection
              before terminating voluntarily.

       max_use (100)
              The  maximal  number of incoming connections that a
              Postfix daemon process will service  before  termi-
              nating voluntarily.

       process_id (read-only)
              The  process  ID  of  a  Postfix  command or daemon
              process.

       process_name (read-only)
              The process name of a  Postfix  command  or  daemon
              process.

       syslog_facility (mail)
              The syslog facility of Postfix logging.

       syslog_name (see 'postconf -d' output)
              The  mail  system  name  that  is  prepended to the
              process name in syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".

SEE ALSO
       smtpd(8), Postfix SMTP server
       postconf(5), configuration parameters
       master(5), generic daemon options

README FILES
       TUNING_README, performance tuning

LICENSE
       The Secure Mailer license must be  distributed  with  this
       software.

HISTORY
       The anvil service is available in Postfix 2.2 and later.

AUTHOR(S)
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

                                                                      ANVIL(8)