Re: avoiding overload on port 587
- On Fri, 30 Nov 2012, lst_hoe02@... wrote:
>There is still one thing, that I don't understand: when exactly the
> Zitat von Tomas Macek <macek@...>:
>> On Fri, 30 Nov 2012, lst_hoe02@... wrote:
>>> Zitat von Tomas Macek <macek@...>:
>>>> On Fri, 30 Nov 2012, lst_hoe02@... wrote:
>>>>> Zitat von Tomas Macek <macek@...>:
>>>>>> I don't understand now, how Postfix behaves when listenting on
>>>>>> submission port 587.
>>>>>> Our mailserver is sometimes overloaded on port 25, so we want to use
>>>>>> postscreen. But I don't understand, how Postfix works when it's
>>>>>> stressed on port 587, when spammers connect to that opened port and
>>>>>> want send their "emails". In document
>>>>>> http://www.postfix.org/STRESS_README.html there is:
>>>>>> NOTE: To avoid "overload" delays for end-user mail clients, enable the
>>>>>> "submission" service entry in master.cf (present since Postfix 2.1),
>>>>>> and tell users to connect to this instead of the public SMTP service.
>>>>>> Should this mean, that Postfix by default does not use counters like
>>>>>> smtpd_hard_error_limit, smtpd_junk_command_limit and maybe others on
>>>>>> sumission port? On this port I would prefer using some kind of smtp
>>>>>> auth and this port should be world accessible to allow the clients
>>>>>> using other networks to authenticate and send emails.
>>>>> Port 587 is by default nothing special for Postfix because it is mostly
>>>>> a clone of the Port 25 service. The *intended* difference is that Port
>>>>> 587 should only accept mail by authenticated users, so no chance for
>>>>> spammers if they don't own valid credentials. To actually see the
>>>>> difference between Port 25 and Port 587 settings you have to compare the
>>>>> entries in master.cf.
>>>> OK, so there is a chance for spammers to overload the server using
>>>> submission port 587 (the server says then "service "smtp" (25) has
>>>> reached its process limit "200"") by exhausting number of available ports
>>>> and the MUA clients then can have also problems to send their
>>>> emails? I'm I right?
>>> The number of available ports is a OS thing, Postfix can be configured in
>>> master.cf the not allow more than maxproc-column service processes *per
>>> service*. So if you have 200 maxproc for Port 25 and another 200 for Port
>>> 587 your OS must be able to handle at least 400 connections (open ports,
>>> fds etc.). If 200 are reached at Port 25 Postfix will still accept up
>>> until 200 connections on Port 587, but refuses any further connections on
>>> Port 25.
>> According to the doc:
>> It works as follows. When a "public" network service such as the SMTP
>> server runs into an "all server ports are busy" condition, the Postfix
>> master(8) daemon logs a warning, restarts the service (without interrupting
>> existing network sessions), and runs the service with "-o stress=yes" on
>> the server process command line:
>> Just see "all server ports are busy": what means the "ports"? Because I
>> experieced the stress=yes at smtpd processes, when just 121 smtpd processes
>> were running that time.
> So if you have the default max of 100 smtp port 25 service process Postfix
> will restart the port 25 service with stress=yes to kick in more aggressive
> timeouts to faster free up processes. This has nothing todo with the service
> for port 587.
postfix says that he is not stressed and restarts the processes with
This is not done when less then default_process_limit smtpd processes are
run, because I experienced on my system (default_process_limit = 200),
that smtpd with stress=yes were run when there were just 121 smtpd's run
in total. Strange?
>>>> If I'm, then I don't understand, why to splitthe processes into
>>>> submission 587 and normal 25, because if the MUA client send the mailThe fact, that 587 is not "published" is not enough, I will try to do
>>>> through 25 (hope with postscreen), there is a chance that the 25 is not
>>>> overloaded (because it uses postscreen) and he will be rather
>>>> able to send his email compared to 587.
>>>> Or I don't still understand something ... :-)
>>> No, MUA should use Port 587 and *authentication*. Port 25 is for MTA <--->
>>> MTA transfer *without* authentication. It does work to use Port 25 with
>>> MUA but it is not recommended these days. Postscreen is able to prevent
>>> some spammer connections to actually allocate one of this 200 port 25
>>> processes so the boundery is higher but still applies.
>> Yes, I understand this well and know about it and this is what I want. But
>> don't undrestand howto avoid overloading the server, when spammers will try
>> to connect and send their mails to the port 587.
>> If the Postfix's behaviour on port 587 is the same as with 25, it seems to
>> me to be better to let the MUAs to send their mail to 25. In the postscreen
>> the mynetworks are automatically whitelisted and on 25 they have better
>> chance to send their mails, because 25 should not be overloaded because of
>> postscreen used.
>> Using firewall on 587 is useless, because our clients travel with their
>> computers even around Europe and want to send their mails.
> There is no benefit for spammers to direct to Port 587 if you only allow
> authenticated mail submission at that port as you should and there is no
> widely used "here is my submission port" announcement as it is with port 25
> per MX records in DNS. Port 587 has independant settings and limits and is
> *not* tied to port 25 settings. It is possible that port 587 resources are
> also tied up because of dictionary attack or DoS but this can be tackled by
> limiting connections per client and maybe rate limiting by firewall rules.
more, because I must ensure, that the MUA will be always able to send his
email. Otherwise he calls to our call center and bothers the people
and then they are bothering me... ;-)
> You should not use Postscreen for MUA (client submission) because by designThis is what appears these days to me: the MUA client is refused with
> Postscreen might refuse a connection with temporary error code which is not
> liked by MUAs.
421 - too many errors (I think, I don't remember well), because Postfix
has no free smtpd process for him - the server is flood by spammers.
But Postscreen should whitelist mynetworks by default right? So just the
4xx temporary error could appear to the out of mynetworks client.
- On Tue, Dec 04, 2012 at 07:46:10AM -0600, /dev/rob0 wrote:
> On Tue, Dec 04, 2012 at 11:59:01PM +1300, Peter wrote:Or better yet: replace it with postscreen.
> > I would still also set up port 587 on the mail.example.com
> > IP as submission as well and try to encourage your users (at
> > least the ones you can) to use port 587 from now on.
> What I would do, on Linux with IPv4 only, is create the submission
> port and use an iptables redirect for the alternate IP address:
> # iptables -vt nat -A PREROUTING -p tcp --dport smtp -d \
> mail.example.com -j REDIRECT --to-port submission
> This saves the overhead (system and administrative) of running
> another smtpd on [mail.example.com]:25; he can leave his "smtp ...
> smtpd" service alone in master.cf.
> I should also add as a reply to Stan in the other subthread: lookTo clarify, I meant that if those Outlook Expresses are not yet
> above at the first quoted paragraph: "Outlook Expresses setup with
> ... default configuration."
> Yikes, bad news, very bad. If not doing content filtering nor
> policy limitation of submission now, he will be soon. And possibly
> losing his job in any case. Tomas is not in a good place right now.
compromised by malware, they will be, soon.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: