Loading ...
Sorry, an error occurred while loading the content.

Re: avoiding overload on port 587

Expand Messages
  • Tomas Macek
    ... There is still one thing, that I don t understand: when exactly the postfix says that he is not stressed and restarts the processes with stress=no? This is
    Message 1 of 54 , Nov 30, 2012
    • 0 Attachment
      On Fri, 30 Nov 2012, lst_hoe02@... wrote:

      >
      > Zitat von Tomas Macek <macek@...>:
      >
      >> On Fri, 30 Nov 2012, lst_hoe02@... wrote:
      >>
      >>>
      >>> Zitat von Tomas Macek <macek@...>:
      >>>
      >>>> On Fri, 30 Nov 2012, lst_hoe02@... wrote:
      >>>>
      >>>>>
      >>>>> Zitat von Tomas Macek <macek@...>:
      >>>>>
      >>>>>> I don't understand now, how Postfix behaves when listenting on
      >>>>>> submission port 587.
      >>>>>> Our mailserver is sometimes overloaded on port 25, so we want to use
      >>>>>> postscreen. But I don't understand, how Postfix works when it's
      >>>>>> stressed on port 587, when spammers connect to that opened port and
      >>>>>> want send their "emails". In document
      >>>>>> http://www.postfix.org/STRESS_README.html there is:
      >>>>>>
      >>>>>> NOTE: To avoid "overload" delays for end-user mail clients, enable the
      >>>>>> "submission" service entry in master.cf (present since Postfix 2.1),
      >>>>>> and tell users to connect to this instead of the public SMTP service.
      >>>>>>
      >>>>>> Should this mean, that Postfix by default does not use counters like
      >>>>>> smtpd_hard_error_limit, smtpd_junk_command_limit and maybe others on
      >>>>>> sumission port? On this port I would prefer using some kind of smtp
      >>>>>> auth and this port should be world accessible to allow the clients
      >>>>>> using other networks to authenticate and send emails.
      >>>>>>
      >>>>>
      >>>>> Port 587 is by default nothing special for Postfix because it is mostly
      >>>>> a clone of the Port 25 service. The *intended* difference is that Port
      >>>>> 587 should only accept mail by authenticated users, so no chance for
      >>>>> spammers if they don't own valid credentials. To actually see the
      >>>>> difference between Port 25 and Port 587 settings you have to compare the
      >>>>> entries in master.cf.
      >>>>>
      >>>>> Regards
      >>>>>
      >>>>> Andreas
      >>>>>
      >>>>
      >>>> OK, so there is a chance for spammers to overload the server using
      >>>> submission port 587 (the server says then "service "smtp" (25) has
      >>>> reached its process limit "200"") by exhausting number of available ports
      >>>> and the MUA clients then can have also problems to send their
      >>>> emails? I'm I right?
      >>>
      >>> The number of available ports is a OS thing, Postfix can be configured in
      >>> master.cf the not allow more than maxproc-column service processes *per
      >>> service*. So if you have 200 maxproc for Port 25 and another 200 for Port
      >>> 587 your OS must be able to handle at least 400 connections (open ports,
      >>> fds etc.). If 200 are reached at Port 25 Postfix will still accept up
      >>> until 200 connections on Port 587, but refuses any further connections on
      >>> Port 25.
      >>
      >> According to the doc:
      >> It works as follows. When a "public" network service such as the SMTP
      >> server runs into an "all server ports are busy" condition, the Postfix
      >> master(8) daemon logs a warning, restarts the service (without interrupting
      >> existing network sessions), and runs the service with "-o stress=yes" on
      >> the server process command line:
      >>
      >> Just see "all server ports are busy": what means the "ports"? Because I
      >> experieced the stress=yes at smtpd processes, when just 121 smtpd processes
      >> were running that time.
      >>
      >
      > So if you have the default max of 100 smtp port 25 service process Postfix
      > will restart the port 25 service with stress=yes to kick in more aggressive
      > timeouts to faster free up processes. This has nothing todo with the service
      > for port 587.

      There is still one thing, that I don't understand: when exactly the
      postfix says that he is not stressed and restarts the processes with
      stress=no?
      This is not done when less then default_process_limit smtpd processes are
      run, because I experienced on my system (default_process_limit = 200),
      that smtpd with stress=yes were run when there were just 121 smtpd's run
      in total. Strange?

      >>>> If I'm, then I don't understand, why to split
      the processes into
      >>>> submission 587 and normal 25, because if the MUA client send the mail
      >>>> through 25 (hope with postscreen), there is a chance that the 25 is not
      >>>> overloaded (because it uses postscreen) and he will be rather
      >>>> able to send his email compared to 587.
      >>>> Or I don't still understand something ... :-)
      >>>
      >>> No, MUA should use Port 587 and *authentication*. Port 25 is for MTA <--->
      >>> MTA transfer *without* authentication. It does work to use Port 25 with
      >>> MUA but it is not recommended these days. Postscreen is able to prevent
      >>> some spammer connections to actually allocate one of this 200 port 25
      >>> processes so the boundery is higher but still applies.
      >>>
      >>> Andreas
      >>
      >> Yes, I understand this well and know about it and this is what I want. But
      >> don't undrestand howto avoid overloading the server, when spammers will try
      >> to connect and send their mails to the port 587.
      >> If the Postfix's behaviour on port 587 is the same as with 25, it seems to
      >> me to be better to let the MUAs to send their mail to 25. In the postscreen
      >> the mynetworks are automatically whitelisted and on 25 they have better
      >> chance to send their mails, because 25 should not be overloaded because of
      >> postscreen used.
      >>
      >> Using firewall on 587 is useless, because our clients travel with their
      >> computers even around Europe and want to send their mails.
      >
      > There is no benefit for spammers to direct to Port 587 if you only allow
      > authenticated mail submission at that port as you should and there is no
      > widely used "here is my submission port" announcement as it is with port 25
      > per MX records in DNS. Port 587 has independant settings and limits and is
      > *not* tied to port 25 settings. It is possible that port 587 resources are
      > also tied up because of dictionary attack or DoS but this can be tackled by
      > limiting connections per client and maybe rate limiting by firewall rules.

      The fact, that 587 is not "published" is not enough, I will try to do
      more, because I must ensure, that the MUA will be always able to send his
      email. Otherwise he calls to our call center and bothers the people
      and then they are bothering me... ;-)

      > You should not use Postscreen for MUA (client submission) because by design
      > Postscreen might refuse a connection with temporary error code which is not
      > liked by MUAs.

      This is what appears these days to me: the MUA client is refused with
      421 - too many errors (I think, I don't remember well), because Postfix
      has no free smtpd process for him - the server is flood by spammers.

      But Postscreen should whitelist mynetworks by default right? So just the
      4xx temporary error could appear to the out of mynetworks client.

      Tomas
    • /dev/rob0
      ... Or better yet: replace it with postscreen. ... To clarify, I meant that if those Outlook Expresses are not yet compromised by malware, they will be, soon.
      Message 54 of 54 , Dec 4, 2012
      • 0 Attachment
        On Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
        > On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:
        > > I would still also set up port 587 on the mail.example.com
        > > IP as submission as well and try to encourage your users (at
        > > least the ones you can) to use port 587 from now on.
        >
        > What I would do, on Linux with IPv4 only, is create the submission
        > port and use an iptables redirect for the alternate IP address:
        >
        > # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
        > mail.example.com -j REDIRECT --to-port submission
        >
        > This saves the overhead (system and administrative) of running
        > another smtpd on [mail.example.com]:25; he can leave his "smtp ...
        > smtpd" service alone in master.cf.

        Or better yet: replace it with postscreen.

        > I should also add as a reply to Stan in the other subthread: look
        > above at the first quoted paragraph: "Outlook Expresses setup with
        > ... default configuration."
        >
        > Yikes, bad news, very bad. If not doing content filtering nor
        > policy limitation of submission now, he will be soon. And possibly
        > losing his job in any case. Tomas is not in a good place right now.

        To clarify, I meant that if those Outlook Expresses are not yet
        compromised by malware, they will be, soon.
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      Your message has been successfully submitted and would be delivered to recipients shortly.