headers
Asif Iqbal | 3 Feb 08:56
Picon

tcpserver: status: 120/120

qmail smtpd was was working fine and most of the time in few years it
was usually 1/120 to 5/120

I am seeing all 120 incoming connections are staying filled up.

any non patch way to limit number of incoming connection per host
making it through port 25?

here is the qmail-showctl http://pastebin.com/mx9skbWk

--

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Permalink | Reply | 4 comments |
headers
Andy Bradford | 4 Feb 02:40

Re: tcpserver: status: 120/120

Thus said Asif Iqbal on Fri, 03 Feb 2012 02:56:56 EST:

> I am seeing all 120 incoming connections are staying filled up.

Why are they staying filled up? There are many reasons why this could be
happening. Is  the server under  a Denial of  Service attack? Or,  is it
just a few hosts that seem to be holding the connection open longer than
they should?  Use tcpdump  (or recordio) to  find out  what's happening.
It's possible that some spammer just has a broken SMTP client and is not
QUITing in a suitable amount of time.

Before you start  applying patches and potential solutions,  you need to
identify the actual problem.

Andy
Permalink | Reply | 3 comments |
headers
Asif Iqbal | 4 Feb 03:44
Picon

Re: tcpserver: status: 120/120

On Fri, Feb 3, 2012 at 8:40 PM, Andy Bradford
<amb-sendok-1330911659.fbmioobiocpoaipnkikb <at> bradfords.org> wrote:
> Thus said Asif Iqbal on Fri, 03 Feb 2012 02:56:56 EST:
>
>> I am seeing all 120 incoming connections are staying filled up.
>
> Why are they staying filled up? There are many reasons why this could be
> happening. Is  the server under  a Denial of  Service attack? Or,  is it
> just a few hosts that seem to be holding the connection open longer than
> they should?  Use tcpdump  (or recordio) to  find out  what's happening.
> It's possible that some spammer just has a broken SMTP client and is not
> QUITing in a suitable amount of time.
>
> Before you start  applying patches and potential solutions,  you need to
> identify the actual problem.

I also noticed multiple greylite process was running for long time, like below.

(iqbala)@qmail:~$ ps -eo pid,etime,args | grep g[r]ey
12909    03:34:35 /usr/local/bin/greylite /var/qmail/bin/qmail-smtpd

It should not be running longer than few seconds when system working correctly

So far, only quick fix was rebooting the mailserver.

Here is how the qmail-smtpd starts

(iqbala)@qmail:~$ cat /service/qmail-smtpd/run
#!/bin/sh
(Continue reading)

Permalink | Reply | 2 comments |
headers
Jason Haar | 4 Feb 05:04
Picon
Favicon

Re: tcpserver: status: 120/120

If you a running Linux, "pstree" or "ps -ejH" can show you all the
processes on your system in a tree structure - really useful for showing
where roadblocks are. e.g. if you see 120 greylite processes - that may
imply that's where the problem is.

--

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Permalink | Reply | 1 comment |
headers
Scott Brynen | 4 Feb 06:46

RE: tcpserver: status: 120/120

do a 
#netstat -an
and see where all those connections are coming from.

________________________________________
From: Jason Haar [Jason_Haar <at> trimble.com]
Sent: Friday, February 03, 2012 20:04
To: Qmail List
Subject: Re: tcpserver: status: 120/120

If you a running Linux, "pstree" or "ps -ejH" can show you all the
processes on your system in a tree structure - really useful for showing
where roadblocks are. e.g. if you see 120 greylite processes - that may
imply that's where the problem is.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Permalink | Reply | 0 comments |
headers
Robert Wolfe | 4 Feb 07:05

Using Smarthost to relay email from qmail

Hi all!  Crossposting this on the local LUG mailing list as well to see if anyone locally can help, too J

 

I have an account set up at JangoMail to use them as my SMTP relay service.  However, I was wondering what I needed to do to set up QMail to allow it to use them for relaying outgoing email using an username and password (SMTP AUTH) to send any outbound messages?

Permalink | Reply | 2 comments |
headers
Shepherd Nhongo | 4 Feb 07:25
Picon

Re: Using Smarthost to relay email from qmail



On Sat, Feb 4, 2012 at 8:05 AM, Robert Wolfe <rwolfe <at> fpsoft.net> wrote:

Hi all!  Crossposting this on the local LUG mailing list as well to see if anyone locally can help, too J

 

I have an account set up at JangoMail to use them as my SMTP relay service.  However, I was wondering what I needed to do to set up QMail to allow it to use them for relaying outgoing email using an username and password (SMTP AUTH) to send any outbound messages?


Do you have the smtproutes file ?

as a root user# vi /var/qmail/control/smtproutes
add the following entry below in your smtproutes file

jangomail.com:mail.jangomail.com yourusername yourpassword

Syntax
[<email_domain>]:<mail_server_hostname_or_ip_address> [<smtp_auth_username> <smtp_auth_password>] 

      



--
Shepherd Nhongo

Do not Queue mail with SENDMAIL, send mail with QMAIL

Mobile +267 74476040
Permalink | Reply | 1 comment |
headers
Roman Levitskiy | 4 Feb 07:59

Re: Using Smarthost to relay email from qmail

On Sat, Feb 04, 2012 at 08:25:34 +0200, Shepherd Nhongo wrote:
> as a root user# vi /var/qmail/control/*smtproutes*
> add the following entry below in your smtproutes file
> 
> jangomail.com:mail.jangomail.com yourusername yourpassword

There is no smtp authentication ability in original qmail.
You have to use appropriate patch for this.
The one I was using you can find at 
http://fehcom.de/qmail/smtpauth.html

--
Roman
Permalink | Reply | 0 comments |
headers
Erwin Hoffmann | 4 Feb 13:51
Picon

POP3 dictionary attacks -- change of bot strategy

Hi everybody,

since roughly December 13th last year I see a significant change in the bots activities:

a) Greetdelay'ing the SMTP sessions -- working great for years -- is almost useless now.

b) In parallel with this change, I observe significant lexical/dictionary attacks against my POP3
service (POP3S not yet):

Yesterday:

2012-02-03 20:17:45.319228500 qmail-popup: pid 10225 Reject::AUTH::User: P:POP3U
S:202.165.183.164:unknown ?= 'utility'
2012-02-03 20:17:46.662410500 qmail-popup: pid 10228 Reject::AUTH::User: P:POP3U
S:202.165.183.164:unknown ?= 'utpal'
2012-02-03 20:17:48.001400500 qmail-popup: pid 10231 Reject::AUTH::User: P:POP3U
S:202.165.183.164:unknown ?= 'uucp'
2012-02-03 21:35:32.417104500 qmail-popup: pid 11081 Reject::AUTH::User: P:POP3U
S:120.65.9.164:unknown ?= 'david <at> 217'
2012-02-03 21:35:34.678555500 qmail-popup: pid 11086 Reject::AUTH::User: P:POP3U
S:120.65.9.164:unknown ?= 'dave <at> 217'
2012-02-03 21:35:36.939112500 qmail-popup: pid 11091 Reject::AUTH::User: P:POP3U
S:120.65.9.164:unknown ?= 'mike <at> 217'
2012-02-03 21:35:39.196582500 qmail-popup: pid 11108 Reject::AUTH::User: P:POP3U
S:120.65.9.164:unknown ?= 'tony <at> 217'

Today:

 qmail-popup: pid 17593 Reject::AUTH::User: P:POP3U S:81.169.140.224:h1989281.stratoserver.net ?= 'client'

.... resulting in a few thousand lookups every day. 

Thus, within my forthcoming Spamcontrol 2.7 I've included to log the POP3 username within qmail-popup.

Further, I will make a patch available against UCSPI-TCP enabling CIDR notation in the tcprules database.

regards.
--eh.

PS: Anybody who is interested should contact me for a beta version of both.

--

-- 
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
Permalink | Reply | 1 comment |
headers
Andy Bradford | 4 Feb 18:45

Re: POP3 dictionary attacks -- change of bot strategy

Thus said Erwin Hoffmann on Sat, 04 Feb 2012 13:51:02 +0100:

> a) Greetdelay'ing the  SMTP sessions -- working great for  years -- is
> almost useless now.

What makes you think it is  worthless now? From my observation, it still
seems relevant:

$ grep 'tcpserver: pid .* from .*' current | wc -l
   5520
$ grep -c greetdelay current
1314
$ echo '2k 1314 5520 /p' | dc
.23

23% is  not shabby in  my opinion.  It's  possible that the  bots hitting
your servers have different behavior?

Andy
Permalink | Reply | 0 comments |

Gmane