Skip to main content


Last updated March 2020

Failed SMTP AUTH limiting. This is essentially the same as Directory Harvest Attack (DHA) prevention for invalid recipient handling, except it is applied to failed AUTH LOGIN requests.


This configuration table is currently disabled in the default_policy.lua file. Uncommenting this table will have no effect.

Find below the sample excerpt included in the dp_config.lua file.

msys.dp_config.audit_series.invalid_smtp_auth = {
  type = "cidr",
  interval = 900,
  buckets = 4,
  thresholds = {
    { check = true,
      key = "/32",
      startv = 0,
      endv = 3,
      threshold = 100,
      honor_whitelist = { "global" } },
    { check = true,
      key = "/24",
      startv = 0,
      endv = 3,
      threshold = 1000,
      honor_whitelist = { "global" } }
  options = {
    persist = true

The elements of this configuration table are as follows:


Legal values for this element are cidr and, as of version 3.4, cidr_ipv6.


The time interval that you wish to look at measured in seconds. A reasonable value might be 900.


A bucket is a window of time of the length defined by "interval". A reasonable value might be 4.


Count over which we do not allow any more SMTP AUTH commands. thresholds is a nested table with this configuration option. The following list defines the attributes of the individual thresholds.


Whether or not to use this configuration item.


The CIDR mask length for the threshold (the leading forward slash is required).


The starting bucket (0 is the current bucket) to query across.


The ending bucket.


The threshold for this specific CIDR mask. When this threshold is reached a code 421 is sent with the message Failed SMTP AUTH rate limit exceeded.


A table listing any applicable whitelists set in the msys.dp_config.whitelist table.


This item is a table with the following possible keys:


Write audit series to log. The value may be true or false; false is the default.

When true, the log will be written to the directory defined by the serialize_dir option in the inbound_audit module. The default value for this option is /var/log/ecelerity/audit_series_persist.


Defaults to none, but can be cluster to send to all nodes, or manager to send only to cluster manager nodes. This requires explicit configuration in the cluster stanza to operate correctly. For more information see Data Replication.


When set to true, the audit series will be persisted. The persisted series will be reloaded when the engine restarts. The default value is false.

Was this page helpful?