Flow Control Filter

Getting Started Guide

Version 2.0
Sendmail Flow Control Filter, Getting Started Guide Copyright © 2000-2007 Sendmail, Inc. All rights reserved. Sendmail is a registered
trademark, and the Sendmail logo is a trademark of Sendmail, Inc. Other product and company names mentioned herein may be the
trademarks of their respective owners. Reproduction or distribution of this publication is prohibited without the prior written consent of
Sendmail, Inc.
Use of Sendmail Switch and the Sendmail Filters are subject to the terms and conditions of the Sendmail, Inc. License Agreement included
with this package. Refer to the License Agreement for further details. To view the Sendmail Switch copyright statement, click on the
Sendmail Switch graphic in the login screen.
THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT.
THIS PUBLICATION COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE
PERIODICALLY ADDED TO THE INFORMATION HEREIN, THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS
OF THE PUBLICATION. SENDMAIL, INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR
THE PROGRAM(S) DESCRIBED IN THIS PUBLICATION AT ANY TIME.
Printed in the United States of America
Part Number: FIL-FLOW-DOC-UTXT
January 2007
Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Additional Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2. Installing Flow Control Filter . . . . . . . . . . . . . . . . . . . . . . . . . 3

Installation Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Working with LDAP Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Installing Flow Control Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Starting Flow Control Filter From Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Manually Starting Flow Control Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Verifying Flow Control Filter Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Starting Flow Control Filter Services at System Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Upgrading Flow Control Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Upgrade Tasks on Sentrion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Removing Flow Control Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3. Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Firewall Blocks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Reputation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Compatibility and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Data Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Integration with LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Default Flow Control Filter Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Settings Edited During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Sample Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuration File Changes Without Reputation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Sendmail® Flow Control Filter Getting Started Guide i

ii Sendmail® Flow Control Filter Getting Started Guide
Introduction 1
The Sendmail© Flow Control Filter Getting Started Guide contains information to help you
successfully implement Flow Control Filter software on your system. This guide includes the
following sections:
• What’s New in Flow Control Filter 2.0
• System Requirements
• Before You Begin
• Installing Flow Control Filter
• Manually Starting Flow Control Filter

System Requirements
Flow Control Filter requires the following minimum operating system versions and storage
capacity.

Table 1 Flow Control Filter Operating System Requirements

OS Versions Additional Storage*

Red Hat EL AS 4.0 12 MB
SuSE Linux SLES 9 12 MB
Solaris 9/10 12 MB

*Additional storage means the amount in addition to the requirements for installing Sendmail Switch.

Additional Documentation
In addition to this Getting Started Guide, refer to the following Flow Control Filter
publications for additional information. They are bundled with your download package.
• Sendmail© Flow Control Filter Administration Guide
• RELEASE-NOTES.txt
The Flow Control Filter installation includes working with the SnortSam firewall agent.
SnortSam documentation can be found at the following URL:
http://www.snortsam.net/documentation.html

Sendmail© Flow Control Filter Getting Started Guide 1

Additional Documentation

2 Sendmail© Flow Control Filter Getting Started Guide

Installing Flow Control Filter 2
This chapter provides instructions for installing the Flow Control Filter application.

Installation Scenarios
You can run the Flow Control installation script to install the following components or
combination of components:
• Flow Control Filter, SnortSam agent and Reputation Server
• Flow Control Filter (standalone)
• SnortSam agent installed as part of the Flow Control Filter installation. In this case,
Flow Control Filter is not used.
• Flow Control Filter and Reputation Server

Working with LDAP Certificates

The installation program creates a /etc/mail/flow-control/openldap/ldap.conf file
with certain default values. To use certificates on the connection between Flow Control Filter
and the LDAP server, you must first set the value of TLS_CACERTFILE to the path of the file
containing the client-side copy of the LDAP server certificate.

Installing Flow Control Filter

Follow these steps to install Flow Control Filter, SnortSam agent and Reputation Server. This
procedure assumes this is a clean installation. The installation flow and the prompts displayed
can differ if:
• Flow Control Filter v1.6 has previously been installed.
• Flow Control components have already been installed.
1. Download the appropriate .tar file from your Sendmail personal download web
page.
2. Log in as root.
3. Use the cd command to move to the directory into which you downloaded the file
from Sendmail.
4. Unpack the file:
• Red Hat EL AS
tar zxvf SFC-200-LNX.tar.gz

Sendmail© Flow Control Filter Getting Started Guide 3

Installing Flow Control Filter

• SuSE Linux
tar zxvf SFC-200-LNX.tar.gz
• Solaris
uncompress -c SFC-200-SOL8.tar.Z | tar xvf -
5. Run the package installation command:
/download_dir/smflow-2.0.0/installer
This starts the installation script, which automatically installs your package and runs
through your initial configuration.
6. The installation script prompts you for an installation location.
Where do you want to install the software? [/usr/local]
7. The installation script asks if you want to install the Commtouch reputation server.
The reputation server provides feedback on the integrity of incoming IP addresses.
Install Commtouch reputation server? (y/n) [y]
8. The installation script asks if you want to install the SnortSam Firewall Agent. The
agent communicates with your firewall to block or throttle IP addresses as determined
by Flow Control Filter.
Install SnortSam Firewall Agent? (y/n) [y]

9. After checking for a previous installation, the installation script prompts you for the
Sendmail Flow Control Filter License Key.
You should have been provided with a license key when you purchased Flow Control
Filter.
Flow Control Filter license key: [no default] /<your FC license key
here>/
This key is case-sensitive.
10. The installation script prompts you for the Sendmail Flow Control Filter Reputation
License Key.

Note – This prompt will not be displayed if you did not select to install the
Commtouch Reputation Server.

You should have been provided with a license key when you purchased Flow Control
Filter.
Flow Control Filter Reputation license key: [no default]
/<your FC reputation license key here>/
This key is case-sensitive.
11. The installation script prompts you for the Reputation Daemon Port. The daemon
requires an unblocked port to communicate with Flow Control. This port must remain
unblocked while running Flow Control.
Reputation daemon port: [5678]

12. The installation script prompts you for the Flow Control Accept CIDR. The SnortSam
agent uses this IP address for connection purposes.
Flow Control CIDR: [no default]

4 Sendmail© Flow Control Filter Getting Started Guide

 Chapter 2: Installing Flow Control Filter

13. The installation script prompts you for the SnortSam Auth Password. This password
is used to authenticate Flow Control requests sent to SnortSam.
SnortSam Auth Password:
Confirm Password:
14. The installation script prompts you for the Flow Control Firewall Configuration type.
Select the type of firewall that the SnortSam agent will connect to:
1. iptables
2. Check Point
3. Cisco
Depending on your selection, additional prompts are displayed:

iptables Check Point Cisco

Firewall Configuration Firewall IP address a. IP address for the
[no default] Cisco firewall
a. Select the interface b. Login password
to be controlled by
c. Confirm login password
this selection.
(Selections will vary) d. Enable password
b. Logging option for 3. Confirm enable
your configuration type password

Note – The SnortSam agent looks for the iptables binary in the default installation
directory /sbin. If you have installed the iptables binary elsewhere, you should
create a symlink to the new location in /sbin. Do not copy the binary.

15. The installation script prompts you for port SnortSam will use to connect.
SnortSam port: [898]
16. The installation script displays your installation settings for review. Enter a step
number to change a setting, or enter y to accept these settings and install Flow
Control.
During the installation, you should receive notification that the following startup
scripts have been created:
flow-control.sh
snortsam.sh
ctipd.sh
A soft link /etc/init.d/flow-control has also been created to point to the
flow-control.sh startup script.
During the installation, the script checks for an existing configuration file. If none is
found, a default configuration file is generated. See Appendix A for more information
about this configuration file.

Sendmail© Flow Control Filter Getting Started Guide 5

Starting Flow Control Filter From Switch

Starting Flow Control Filter From Switch

Log into the Sendmail Switch Administration Console to configure and start the Flow Control
Filter.
1. Log into the Sendmail Switch Configuration Page.
2. Click Filter Configuration.
3. Enable the filter by clicking Yes.
4. Click Configure.
5. Enter the appropriate data and click the Save button.
6. Click the Save and Deploy button to start and deploy with the new configuration
just saved, or start the filter manually as noted below.

Manually Starting Flow Control Filter

Once the configuration is created, you can manually start the Flow Control Filter by typing the
following commands:
/etc/init.d/snortsam start
/etc/init.d/flow-control start
/etc/init.d/ctipd start
To stop or restart the Flow Control Filter, use the same command string, substituting stop or
restart in place of start.
If a reputation server is installed on the local machine, the /etc/init.d/flow-control
start script will start the reputation service as well as Flow Control Filter. The
/etc/init.d/flow-control stop script will stop both services, and restart will restart
both services.

Verifying Flow Control Filter Operations

To verify that flow-control daemon is running (in process table), enter the following
commands:
On Linux:
# ps auxww | grep flow
or
# ps -ef | grep flow
On Solaris:
# ps -ef | fgrep flow-control
smadmin 23472 0.0 0.2 5796 1220? Ssl Dec20 0:00
/usr/local/sendmail/smflow-2.0/bin/flow-control -p
local:/var/sendmail/flow-control/flow-control.sock -C /etc/mail/flow-
control.conf -l -P /var/sendmail/flow-control/flow-control.pid -u
smadmin

6 Sendmail© Flow Control Filter Getting Started Guide

 Chapter 2: Installing Flow Control Filter

Starting Flow Control Filter Services at System Boot

If you configure the filter to start automatically upon system boot on UNIX or Windows, set
the filter to start before the sendmail MTA. If not, mail could be rejected by the local sendmail
MTA, depending on your configuration.
On RedHat:
Run the following command:
chkconfig --add flow-control
For example:
# which chkconfig
/sbin/chkconfig
# chkconfig --list | grep flow
# chkconfig --add flow-control
# chkconfig --list | grep flow
flow-control 0:off 1:off 2:off 3:on 4:on 5:on 6:off
• If you have firewall configuration in the flow-control.conf file, add the startup
command for the SnortSam agent.
# chkconfig --add snortsam
• If you have Reputation Server configured in the flow-control.conf file, add the
startup command for the ctipd daemon.
# chkconfig --add ctipd
On Solaris:
Add a symlink to the rc<3>.d directory:
# ln -s /etc/init.d/flow-control S<n>flow-control
• If you have a firewall configured in the flow-control.conf file, add a symlink to
start the SnortSam agent.
# ln -s /etc/init.d/snortsam S<n-1>snortsam
• If you have Reputation Server configured in the flow-control.conf file, add a
symlink to start the ctipd daemon.
# ln -s /etc/init.d/ctipd S<n-1>ctipd
On SentriOS:
The Flow Control startup script mentioned above is already part of the /etc/init.d
directory.
• If you have a firewall configured in the flow-control.conf file, add a symlink to
start the SnortSam agent in the rc<3>.d directory.
# ln -s /etc/init.d/snortsam S<n-1>snortsam
• If you have Reputation Server configured in the flow-control.conf file, add a
symlink to start the ctipd daemon in the rc<3>.d directory.
# ln -s /etc/init.d/ctipd S<n-1>ctipd

Sendmail© Flow Control Filter Getting Started Guide 7

Upgrading Flow Control Filter

Upgrading Flow Control Filter

Make sure your system has the most current Flow Control patch (v1.6.3) before upgrading to
Flow Control 2.0.
To upgrade, follow the installation instructions used in “Installing Flow Control Filter” on
page 3.

Note – The /usr/local/sendmail/smflow-1.6 folder is not removed during the

upgrade.

Flow Control Filter 2.0 can parse and handle a 1.6.x configuration. It will log the following
warning when it performs a class conversion:
Message/Response in class %s deprecated; converting to Action
In this message, %s is replaced by the class being defined. A message is logged for UserLimit
cases as well.

Upgrade Tasks on Sentrion

When upgrading the Sentrion operating system (SentriOS), the Flow Control Filter installation
script does not detect previous installations of Flow Control. Stop the Flow Control Filter
process before upgrading the software.
When upgrading from Flow Control Filter v1.6 to v2.0 on SentriOS, the
/usr/local/sendmail/smflow file needs to be removed from the link to
/usr/local/sendmail/smflow-1.6 and re-added to the link to
/usr/local/sendmail/smflow-2.0.

Removing Flow Control Filter

To remove Flow Control Filter and its components, run the uninstall script located in the
/user/local/sendmail/smflow-2.0/install directory:

1. Stop Flow Control filter before removing its components.

2. Run the uninstall script:
./uninstaller
The uninstall script may not remove the /usr/local/sendmail/smflow-2.0/ directory.
You can safely remove the directory manually.

8 Sendmail© Flow Control Filter Getting Started Guide

Configuration File A
The Flow Control Filter configuration file, flow-control.conf, consists of several
segments. The following sections provide additional detail for each section. The default flow-
control.conf file is included at the end of this appendix.

Notification
Because of the nature of MX records and the fact that multiple mail hosts might handle mail
for a given domain, spammers and abusive senders can reach mailboxes through multiple
vectors. Ideally, if Flow Control applies a restriction to a sending host, for whatever reason,
that mail server’s peers would apply the same restriction to the same SMTP client. In other
words, “If you try to send us too much mail, all of our servers will refuse you.” To ensure that
the mailhosts in an enterprise present a consistent response to external senders, use the Notify
action. Use the following configuration options:
Notify mx1.your-company.com:1234:rs:sam3st0ry
Notify mx2.your-company.com:1234:rs:sam3st0ry

<Action NotifyBlockBadConn>
Notify True
…
</Action>
<Action NotifyDefaultConn>
Notify True
…
</Action>
<Action NotifyDefaultRecpts>
Notify True
…
</Action>

Sendmail© Flow Control Filter Getting Started Guide 9

Firewall Blocks

Firewall Blocks
Even if a host has triggered a Flow Control Filter action, whether by attempting a directory
harvest attack or sending too much volume, there is still some overhead involved in blocking
that host. The MTA will still accept a connection, then pass the connection to Flow Control
Filter. When the filter recognizes that this is a blocked host, it directs the MTA to tempfail
commands or close the connection (if 421 is in use).
As a result, the MTA and Flow Control are still receiving connections from an abusive host in
the midst of an attack. Instead, use a firewall block statement to correct this condition as
shown below:
Firewall 127.0.0.1:898:snortsam
<Action NotifyBlockBadConn>
…
Block True
…
</Action>

Reputation Services
Flow Control Filter provides integration with reputation services provided by Commtouch.
This service relies upon similar classification methods employed by Commtouch to identify
spam. The default flow-control.conf file uses reputation values and volume limits as
suggested by Commtouch:
ReputationServer 127.0.0.1:5678
ReputationUnavailable TEMPFAIL
<Reputation moderate>
If ip-class = R7
If ip-class = T3
</Reputation>

<Reputation aggressive>
If ip-class = T4
If ip-class = R8
</Reputation>

<Reputation extreme>
If ip-class = T5
If ip-class = R9
</Reputation>

<Reputation private>
If ip-class = G3
</Reputation>

10 Sendmail© Flow Control Filter Getting Started Guide

 Appendix A: Configuration File

<Class BadGuys>
…
Reputation extreme
…
</Class>
<Class Aggressive>
…
Reputation aggressive
…
</Class>

<Class Moderate>
…
Reputation moderate
…
</Class>

Compatibility and Logging

Flow Control Filter tuning can be affected by regularly examining logs for misbehaving hosts
or configuration problems. To do so requires log data. Further, the fc-query command can
also provide input into this tuning process by listing which hosts are currently being tracked,
which limits are in play, etc. In addition, the cluster-query process that is part of the Switch
interface will attempt to contact the control socket of the filter on port 8898. To accomplish
these tasks, a number of options must be set in the configuration file:
ControlSocket inet:8898
Log True
MaxTracking 10000
WarnAt 80

Data Integrity
You can periodically save the state of the tracked hosts and their limits so that a restart of the
filter does not allow misbehaving hosts to start over with a clean slate. To do so, set these two
options:
StateFile /var/sendmail/flow-control/fc.state
StateInterval 0

Sendmail© Flow Control Filter Getting Started Guide 11

Integration with LDAP

Integration with LDAP

When Flow Control Filter is used in conjunction with a fully populated LDAP server, it can
detect and limit the impact of Directory Harvesting attacks, as well as block any messages
originating from forged internal senders. Set the following options to accomplish these tasks:

LDAP-Query-Address *@your-company.com
LDAP-Search-Template (mailLocalAddress=%a)
LDAP-Unvailable TEMPFAIL
LDAP-URI ldapi:// ldap://localhost ldap://other-replica-server
PlusDetail True

<Class BadGuys>
…
BadSender REJECT
</Class>

<Class Aggressive>
…
BadRecipients 5/1m NotifyDefaultRecpts
BadSender REJECT
</Class>

<Class Moderate>
…
BadRecipients 5/1m NotifyDefaultRecpts
BadSender REJECT
</Class>

<Class Default>
…
BadRecipients 5/1m NotifyDefaultRecpts
BadSender REJECT
</Class>

12 Sendmail© Flow Control Filter Getting Started Guide

 Appendix A: Configuration File

Default Flow Control Filter Configuration File

The following flow-control.conf file is generated as the default configuration file during
installation. It includes Reputation Services. These file settings are updated upon completing
your installation.

Settings Edited During Installation

During installation, you edit the following configuration settings:

Setting Definition
fc_firewall_accept Firewall agent address (snortsam, by default).
fc_firewall_port Firewall agent port.
fc_firewall_password Firewall agent password.
reputation_server_addr IP/PORT address of the ctIPd daemon
(127.0.0.1:$ctipd_port by default).

Sample Configuration File

The following default configuration file has Reputation Services enabled. See the next section,
Configuration File Changes Without Reputation Services, for information on how the file
differs when you choose not to install Reputation Services.
## Sample Flow Control 2.0.0 Configuration File
##
## This is a sample configuration file for
## Flow Control 2.0.0.
## Please use and modify at your own discretion.
##
## $Id: flow-control.conf.in,v 1.10 2007/01/26 20:24:19 sowings Exp $
##

AutoRestart /var/sendmail/flow-control/restart.pid
ControlSocket inet:8898
Firewall 127.0.0.1:898:snortsam

##
## LDAP Settings:
##
## You must edit and uncomment these lines according to your specific
## environment to make Flow Control use the data stored in LDAP.
## Please note that you will also have to uncomment and edit all
## BadRecipient and BadSender definitions stored in this configuration
## file to activate those features.
##
#LDAP-Query-Address *@your-company.com
#LDAP-Search-Template (mailLocalAddress=%a)
#LDAP-Unavailable TEMPFAIL

Sendmail© Flow Control Filter Getting Started Guide 13

Default Flow Control Filter Configuration File

#LDAP-URI ldapi:// ldap://localhost ldap://other-replica-server

Log True
MaxTracking 10000

##
## Auto Notify Hosts:
##
## You must add a line for each auto-notify host, including
## hostname, port, and password.
##
## Examples:
##
#Notify mx1.your-company.com:1234:rs:sam3st0ry
#Notify mx2.your-company.com:1234:rs:sam3st0ry

PlusDetail True
ReputationServer 127.0.0.1:5678
ReputationUnavailable TEMPFAIL
StateFile /var/sendmail/flow-control/fc.state
StateInterval 0
WarnAt 80

<Action PartnerConn>
Response ACCEPT
Message Lots of connections
</Action>
<Action ISPConn>
Response TEMPFAIL
Message Too many connections, please try again later
</Action>
<Action NotifyBlockBadConn>
Notify True
Block True
BlockDuration 1200
DisableTime 20m
Message 421 Too many connections, please try again later
Response TEMPFAIL
</Action>
<Action NotifyDefaultConn>
Notify True
Message 421 Too many connections, please try again later

14 Sendmail© Flow Control Filter Getting Started Guide

 Appendix A: Configuration File

Response TEMPFAIL
DisableTime 15m
</Action>
<Action NotifyDefaultRecpts>
Notify True
Message 421 Too much mail, please try again later
Response TEMPFAIL
DisableTime 15m
</Action>

<Reputation moderate>
If ip-class = R7
If ip-class = T3
</Reputation>

<Reputation aggressive>
If ip-class = T4
If ip-class = R8
</Reputation>

<Reputation extreme>
If ip-class = T5
If ip-class = R9
</Reputation>

<Reputation private>
If ip-class = G3
</Reputation>

<Class Internal>
Host 127.0.0.1
Host localhost
Host *
Reputation private
</Class>
<Class Partners>
Connections 20/1m PartnerConn
MaxConnections 50
Aggregate False
</Class>
<Class ISPs>
Host .google.com
Host .aol.com
Host .hotmail.com

Sendmail© Flow Control Filter Getting Started Guide 15

Default Flow Control Filter Configuration File

Host .msn.com
Connections 20/1m ISPConn
MaxConnections 15
Aggregate False
</Class>

<Class BadGuys>
Connections 10/1h NotifyBlockBadConn
Recipients 25/1h
Reputation extreme
Host *
MaxConnections 1
Aggregate False
#BadSender REJECT
</Class>

<Class Aggressive>
Connections 10/1m NotifyDefaultConn
Host *
Reputation aggressive
Recipients 20/6m
MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>

<Class Moderate>
Connections 10/1m NotifyDefaultConn
Host *
Reputation moderate
Recipients 50/6m
MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>

<Class Default>
Connections 10/1m NotifyDefaultConn
Host *
Recipients 50/6m
MaxConnections 10

16 Sendmail© Flow Control Filter Getting Started Guide

 Appendix A: Configuration File

Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>

Configuration File Changes Without Reputation Services

The following changes take place in a default flow-control.conf file created for an
installation not employing Reputation Services.
The Reputation definitions are omitted from the flow-control.conf file.
1. The flow-control.conf file removes:
ReputationUnavailable TEMPFAIL
2. Without a reputation service, Flow Control Filter cannot perform queries to tell if a
given host has the private IP class, so Reputation private and AND Host * are
removed from the Class Internal definition, and this class is limited to
localhost 127.0.0.1.
When editing this section, you should add your own internal/public networks and
hosts.
<Class Internal>
Host 127.0.0.1
Host localhost
</Class>
3. Flow Control cannot use reputation to aid in determining whether a given host should
fall in the BadGuys, Aggressive, or Moderate classes, so the Reputation tags
are removed from these class definitions as well.
<Class BadGuys>
Connections 10/1h NotifyBlockBadConn
Recipients 25/1h
MaxConnections 1
Aggregate False
#BadSender REJECT
</Class>
<Class Aggressive>
Connections 10/1m NotifyDefaultConn
Recipients 20/6m
MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>
<Class Moderate>
Connections 10/1m NotifyDefaultConn
Recipients 50/6m

Sendmail© Flow Control Filter Getting Started Guide 17

Default Flow Control Filter Configuration File

MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>
4. For the Default Class, BadSender REJECT is commented out or deleted. The
BadSender and BadRecipients classes are commented out because they rely on
LDAP, which also is commented out by default.
<Class Default>
Connections 10/1m NotifyDefaultConn
Host *
Recipients 50/6m
MaxConnections 10
Aggregate False
#BadRecipients 5/1m NotifyDefaultRecpts
#BadSender REJECT
</Class>

18 Sendmail© Flow Control Filter Getting Started Guide