Loading ...
Sorry, an error occurred while loading the content.

Re: avoiding overload on port 587

Expand Messages
  • Tomas Macek
    ... According to the doc: It works as follows. When a public network service such as the SMTP server runs into an all server ports are busy condition, the
    Message 1 of 54 , Nov 30, 2012
      On Fri, 30 Nov 2012, lst_hoe02@... wrote:

      > Zitat von Tomas Macek <macek@...>:
      >> On Fri, 30 Nov 2012, lst_hoe02@... wrote:
      >>> Zitat von Tomas Macek <macek@...>:
      >>>> I don't understand now, how Postfix behaves when listenting on submission
      >>>> port 587.
      >>>> Our mailserver is sometimes overloaded on port 25, so we want to use
      >>>> postscreen. But I don't understand, how Postfix works when it's stressed
      >>>> on port 587, when spammers connect to that opened port and want send
      >>>> their "emails". In document http://www.postfix.org/STRESS_README.html
      >>>> there is:
      >>>> NOTE: To avoid "overload" delays for end-user mail clients, enable the
      >>>> "submission" service entry in master.cf (present since Postfix 2.1), and
      >>>> tell users to connect to this instead of the public SMTP service.
      >>>> Should this mean, that Postfix by default does not use counters like
      >>>> smtpd_hard_error_limit, smtpd_junk_command_limit and maybe others on
      >>>> sumission port? On this port I would prefer using some kind of smtp auth
      >>>> and this port should be world accessible to allow the clients using other
      >>>> networks to authenticate and send emails.
      >>> Port 587 is by default nothing special for Postfix because it is mostly a
      >>> clone of the Port 25 service. The *intended* difference is that Port 587
      >>> should only accept mail by authenticated users, so no chance for spammers
      >>> if they don't own valid credentials. To actually see the difference
      >>> between Port 25 and Port 587 settings you have to compare the entries in
      >>> master.cf.
      >>> Regards
      >>> Andreas
      >> OK, so there is a chance for spammers to overload the server using
      >> submission port 587 (the server says then "service "smtp" (25) has
      >> reached its process limit "200"") by exhausting number of available ports
      >> and the MUA clients then can have also problems to send their
      >> emails? I'm I right?
      > The number of available ports is a OS thing, Postfix can be configured in
      > master.cf the not allow more than maxproc-column service processes *per
      > service*. So if you have 200 maxproc for Port 25 and another 200 for Port 587
      > your OS must be able to handle at least 400 connections (open ports, fds
      > etc.). If 200 are reached at Port 25 Postfix will still accept up until 200
      > connections on Port 587, but refuses any further connections on Port 25.

      According to the doc:
      It works as follows. When a "public" network service such as the SMTP
      server runs into an "all server ports are busy" condition, the Postfix
      master(8) daemon logs a warning, restarts the service (without
      interrupting existing network sessions), and runs the service with "-o
      stress=yes" on the server process command line:

      Just see "all server ports are busy": what means the "ports"? Because I
      experieced the stress=yes at smtpd processes, when just 121 smtpd
      processes were running that time.

      >> If I'm, then I don't understand, why to split the processes into submission
      >> 587 and normal 25, because if the MUA client send the mail
      >> through 25 (hope with postscreen), there is a chance that the 25 is not
      >> overloaded (because it uses postscreen) and he will be rather
      >> able to send his email compared to 587.
      >> Or I don't still understand something ... :-)
      > No, MUA should use Port 587 and *authentication*. Port 25 is for MTA <--->
      > MTA transfer *without* authentication. It does work to use Port 25 with MUA
      > but it is not recommended these days. Postscreen is able to prevent some
      > spammer connections to actually allocate one of this 200 port 25 processes so
      > the boundery is higher but still applies.
      > Andreas

      Yes, I understand this well and know about it and this is what I want. But
      don't undrestand howto avoid overloading the server, when spammers will
      try to connect and send their mails to the port 587.
      If the Postfix's behaviour on port 587 is the same as with 25, it seems to
      me to be better to let the MUAs to send their mail to 25. In the
      postscreen the mynetworks are automatically whitelisted and on 25 they
      have better chance to send their mails, because 25 should not be
      overloaded because of postscreen used.

      Using firewall on 587 is useless, because our clients travel with their
      computers even around Europe and want to send their mails.

    • /dev/rob0
      ... Or better yet: replace it with postscreen. ... To clarify, I meant that if those Outlook Expresses are not yet compromised by malware, they will be, soon.
      Message 54 of 54 , Dec 4, 2012
        On Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
        > On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:
        > > I would still also set up port 587 on the mail.example.com
        > > IP as submission as well and try to encourage your users (at
        > > least the ones you can) to use port 587 from now on.
        > What I would do, on Linux with IPv4 only, is create the submission
        > port and use an iptables redirect for the alternate IP address:
        > # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
        > mail.example.com -j REDIRECT --to-port submission
        > This saves the overhead (system and administrative) of running
        > another smtpd on [mail.example.com]:25; he can leave his "smtp ...
        > smtpd" service alone in master.cf.

        Or better yet: replace it with postscreen.

        > I should also add as a reply to Stan in the other subthread: look
        > above at the first quoted paragraph: "Outlook Expresses setup with
        > ... default configuration."
        > Yikes, bad news, very bad. If not doing content filtering nor
        > policy limitation of submission now, he will be soon. And possibly
        > losing his job in any case. Tomas is not in a good place right now.

        To clarify, I meant that if those Outlook Expresses are not yet
        compromised by malware, they will be, soon.
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.