Mailing List Archive: Qmail: users

Providing better service to known hosts

Index | Next | Previous | View Threaded

bruno at wolff

May 1, 2008, 8:13 PM

Post #1 of 6 (306 views)
Permalink

Providing better service to known hosts

I have a problem in that my (hobbyish) server is being overloaded by spam
connections. I can reduce the number of concurrent incoming connections to
keep it from being overwhelmed, but some legitimate messages won't get through
before their hosts give up. If I raised the number of connections then my
mail server accepts messages somewhat faster than it can deliver them and
eventually the queue backs up and I need to turn off incoming connections
for a while to let it catch up.
I have an idea on how I might handle this and wanted to run it by this
group for comments about whether this solution seems like it would help
with the above problem.
Most of the messages I care about come from a relatively few servers.
I was thinking of running two qmail servers, one listening on the external
IP address and the other listening on a loopback address. I was thinking of
using iptables to rewrite the destination address for a list of source
addresses that I wanted to give better service to.
I am running netqmail on a Fedora 9 box that I don't have money to upgrade
at this time.
If I run two qmail servers do I need to worry about them delivering to the
same mailboxes at the same time?
Can they share any part of the /var/qmail tree or should I keep them
totally separate?

hugo.monteiro at fct

May 6, 2008, 2:36 PM

Post #2 of 6 (300 views)
Permalink

Re: Providing better service to known hosts [In reply to]

Bruno Wolff III wrote:
> I have a problem in that my (hobbyish) server is being overloaded by spam
> connections. I can reduce the number of concurrent incoming connections to
> keep it from being overwhelmed, but some legitimate messages won't get through
> before their hosts give up. If I raised the number of connections then my
> mail server accepts messages somewhat faster than it can deliver them and
> eventually the queue backs up and I need to turn off incoming connections
> for a while to let it catch up.
> I have an idea on how I might handle this and wanted to run it by this
> group for comments about whether this solution seems like it would help
> with the above problem.
> Most of the messages I care about come from a relatively few servers.
> I was thinking of running two qmail servers, one listening on the external
> IP address and the other listening on a loopback address. I was thinking of
> using iptables to rewrite the destination address for a list of source
> addresses that I wanted to give better service to.
> I am running netqmail on a Fedora 9 box that I don't have money to upgrade
> at this time.
> If I run two qmail servers do I need to worry about them delivering to the
> same mailboxes at the same time?
> Can they share any part of the /var/qmail tree or should I keep them
> totally separate?
>
>

You should consider giving your server support for greeting delay and a
light form of greylisting, perhaps greylite.

Regards,

Hugo Monteiro.

--
ci.fct.unl.pt:~# cat .signature

Hugo Monteiro
Email : hugo.monteiro[at]fct.unl.pt
Telefone : +351 212948300 Ext.15307

Centro de Informática
Faculdade de Cięncias e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.ci.fct.unl.pt apoio[at]fct.unl.pt

ci.fct.unl.pt:~# _

dibl283 at gmail

May 6, 2008, 2:48 PM

Post #3 of 6 (301 views)
Permalink

Re: Providing better service to known hosts [In reply to]

Bruno,

> I have a problem in that my (hobbyish) server is being overloaded by spam
> connections.

I added Greet Delay and recipient checking at SMTP time to great
effect on my system. Over 60% of the SMTP connections to my system
were for non-existent users. I now quickly reject those connections
thus freeing up my system for more useful activities. Prior to
implementing recipient checking, I was contributing to the overall
back-scatter problem on the net (my apologies to all).

David Bell
-- Remember, if you are not part of the solution, then you are the precipitate!

kyle-qmail at memoryhole

May 6, 2008, 2:57 PM

Post #4 of 6 (300 views)
Permalink

Re: Providing better service to known hosts [In reply to]

On Thursday, May 1 at 10:13 PM, quoth Bruno Wolff III:
> If I raised the number of connections then my mail server accepts
> messages somewhat faster than it can deliver them and eventually the
> queue backs up and I need to turn off incoming connections for a
> while to let it catch up.

Out of curiosity, what takes so long to deliver messages?

> Most of the messages I care about come from a relatively few
> servers.

Always a good situation.

> I was thinking of running two qmail servers, one listening on the
> external IP address and the other listening on a loopback address. I
> was thinking of using iptables to rewrite the destination address
> for a list of source addresses that I wanted to give better service
> to.

Seems reasonable. I might put the second qmail server on the external
IP (but on a different port), just so that I'd be reminded that it's
accessible from the outside world, but whatever works for you is fine.

It's worth pointing out that you don't need two qmail installations to
do this; you just need two qmail-smtpd instances with different
tcpserver options.

> If I run two qmail servers do I need to worry about them delivering
> to the same mailboxes at the same time?

Nope. Qmail will lock the mailboxes as appropriate (if necessary;
Maildir's don't require a lock).

> Can they share any part of the /var/qmail tree or should I keep them
> totally separate?

If they share parts of it (e.g. the control directory), I'd do so with
a symlink. Otherwise, you run the risk of them trampling each other
(you don't want multiple qmail-send's pulling out of the same queue,
for example). But, like I said, you can achieve what you want without
a second qmail installation, and if you do so, this is more or less
moot.

~Kyle
--
A woman is like a tea bag. It's only when she's in hot water that you
realize how strong she is.
-- either Eleanor Roosevelt or Carl Sandberg

qmail at hilbig

May 6, 2008, 2:58 PM

Post #5 of 6 (300 views)
Permalink

RE: Providing better service to known hosts [In reply to]

Obviously you want to allow enough incoming connections so that a remote
server never gives up on trying to deliver mail. So it sounds like the
challenge you face is how to do that without having SPAM flood your queue.

The answer is quite simple: Block SPAM during the SMTP session so that it
never reaches your queue.

Are you using any kind of SPAM detection (such as RBL frontend, SPF
checking, etc.) during the SMTP session? I'm guessing not.

I implemented three easy-to-do things and SPAM hitting my queue
was significantly reduced:
1) SPF patch for qmail-smtpd and set SPFBEHAVIOR=3.
You can find this patch at http://www.saout.de/misc/spf/
2) DJB's RBLSMTPD as a front-end to qmail-smtpd. RBLSMTPD
is part of his UCSPI-TCP package. I check against
'bl.spamcop.net' first and then 'zen.spamhaus.org'
3) Block hosts via tcprules where their DNS name does not
match their reverse DNS name. In order for this to work
you need to specify the '-h' and '-p' (both lower-case)
parameters for tcpserver in your daemontools 'run' script
for qmail-smtpd. Then edit your tcp.smtp rules file so
that the last two lines are:
=:allow
:allow,RBLSMTPD="-Blocked - DNS name mismatch."
Finally, recreate your rules CDB so the changes take effect.
Note that the "-" (hyphen) at the start of the RBLSMTPD value
instructs the rblsmtpd program to generate a permanent error
instead of a temporary error.

Below are my my rules and run files. I provide them for example reference
only.

My /etc/tcp.smtp file:

127.:allow,RELAYCLIENT="",RBLSMTPD=""
=:allow
:allow,RBLSMTPD="-Blocked - DNS name mismatch."

My run script:

#!/bin/sh

QMAILDUID=`id -u qmaill`
NOFILESGID=`id -g qmaill`
QMAILHOSTNAME="`cat /var/qmail/control/me`"
MAXSMTPCONN="`cat /var/qmail/control/MAXSMTPCONN`"

exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -c "$MAXSMTPCONN" -Q -h -p -R -d -l
"$QMAILHOSTNAME" \
-x /etc/tcp.smtp.cdb -u "$QMAILDUID" -g "$NOFILESGID" $SMTPIPADDR 25 \
/usr/local/bin/rblsmtpd -b -C -t 10 -a list.dnswl.org -r bl.spamcop.net -r
zen.spamhaus.org \
/var/qmail/bin/qmail-smtpd 2>&1

-----Original Message-----
From: Bruno Wolff III [mailto:bruno[at]wolff.to]
Sent: Thursday, May 01, 2008 8:14 PM
To: qmail[at]list.cr.yp.to
Subject: Providing better service to known hosts

I have a problem in that my (hobbyish) server is being overloaded by spam
connections. I can reduce the number of concurrent incoming connections to
keep it from being overwhelmed, but some legitimate messages won't get
through
before their hosts give up. If I raised the number of connections then my
mail server accepts messages somewhat faster than it can deliver them and
eventually the queue backs up and I need to turn off incoming connections
for a while to let it catch up.
I have an idea on how I might handle this and wanted to run it by this
group for comments about whether this solution seems like it would help
with the above problem.
Most of the messages I care about come from a relatively few servers.
I was thinking of running two qmail servers, one listening on the external
IP address and the other listening on a loopback address. I was thinking of
using iptables to rewrite the destination address for a list of source
addresses that I wanted to give better service to.
I am running netqmail on a Fedora 9 box that I don't have money to upgrade
at this time.
If I run two qmail servers do I need to worry about them delivering to the
same mailboxes at the same time?
Can they share any part of the /var/qmail tree or should I keep them
totally separate?

bruno at wolff

May 7, 2008, 7:59 AM

Post #6 of 6 (294 views)
Permalink

Re: Providing better service to known hosts [In reply to]

On Tue, May 06, 2008 at 16:57:06 -0500,
Kyle Wheeler <kyle-qmail[at]memoryhole.net> wrote:
> On Thursday, May 1 at 10:13 PM, quoth Bruno Wolff III:
>> If I raised the number of connections then my mail server accepts messages
>> somewhat faster than it can deliver them and eventually the queue backs up
>> and I need to turn off incoming connections for a while to let it catch
>> up.
>
> Out of curiosity, what takes so long to deliver messages?

Because I am blacklisting servers that appear to be just guessing at
addresses, and that probably takes longer than a normal delivery would.

>> I was thinking of running two qmail servers, one listening on the external
>> IP address and the other listening on a loopback address. I was thinking
>> of using iptables to rewrite the destination address for a list of source
>> addresses that I wanted to give better service to.
>
> Seems reasonable. I might put the second qmail server on the external IP
> (but on a different port), just so that I'd be reminded that it's
> accessible from the outside world, but whatever works for you is fine.

At first I thought that might be a problem, but actually the majority of
spammers aren't going to bother looking for alternate ports, so it shouldn't
be a problem. And since my first try at using NAT to change the destination
address didn't work, this is likely to be easier to implement.

> It's worth pointing out that you don't need two qmail installations to do
> this; you just need two qmail-smtpd instances with different tcpserver
> options.

Thanks. I had been coming to that conclusion when I was looking at how
qmail-smtpd was setup.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com