Mailing List Archive: Qmail: users

tcpserver: status: 120/120

Index | Next | Previous | View Threaded

vadud3 at gmail

Feb 2, 2012, 11:56 PM

Post #1 of 5 (754 views)
Permalink

tcpserver: status: 120/120

qmail smtpd was was working fine and most of the time in few years it
was usually 1/120 to 5/120

I am seeing all 120 incoming connections are staying filled up.

any non patch way to limit number of incoming connection per host
making it through port 25?

here is the qmail-showctl http://pastebin.com/mx9skbWk

--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

amb-sendok-1330911659.fbmioobiocpoaipnkikb at bradfo

Feb 3, 2012, 5:40 PM

Post #2 of 5 (731 views)
Permalink

Re: tcpserver: status: 120/120 [In reply to]

Thus said Asif Iqbal on Fri, 03 Feb 2012 02:56:56 EST:

> I am seeing all 120 incoming connections are staying filled up.

Why are they staying filled up? There are many reasons why this could be
happening. Is the server under a Denial of Service attack? Or, is it
just a few hosts that seem to be holding the connection open longer than
they should? Use tcpdump (or recordio) to find out what's happening.
It's possible that some spammer just has a broken SMTP client and is not
QUITing in a suitable amount of time.

Before you start applying patches and potential solutions, you need to
identify the actual problem.

Andy

vadud3 at gmail

Feb 3, 2012, 6:44 PM

Post #3 of 5 (737 views)
Permalink

Re: tcpserver: status: 120/120 [In reply to]

On Fri, Feb 3, 2012 at 8:40 PM, Andy Bradford
<amb-sendok-1330911659.fbmioobiocpoaipnkikb [at] bradfords> wrote:
> Thus said Asif Iqbal on Fri, 03 Feb 2012 02:56:56 EST:
>
>> I am seeing all 120 incoming connections are staying filled up.
>
> Why are they staying filled up? There are many reasons why this could be
> happening. Is the server under a Denial of Service attack? Or, is it
> just a few hosts that seem to be holding the connection open longer than
> they should? Use tcpdump (or recordio) to find out what's happening.
> It's possible that some spammer just has a broken SMTP client and is not
> QUITing in a suitable amount of time.
>
> Before you start applying patches and potential solutions, you need to
> identify the actual problem.

I also noticed multiple greylite process was running for long time, like below.

(iqbala)@qmail:~$ ps -eo pid,etime,args | grep g[r]ey
12909 03:34:35 /usr/local/bin/greylite /var/qmail/bin/qmail-smtpd

It should not be running longer than few seconds when system working correctly

So far, only quick fix was rebooting the mailserver.

Here is how the qmail-smtpd starts

(iqbala)@qmail:~$ cat /service/qmail-smtpd/run
#!/bin/sh

QMAILDUID=`/usr/xpg4/bin/id -u qmaild`
NOFILESGID=`/usr/xpg4/bin/id -g qmaild`
MAXSMTPD=`head -1 /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
export QMAILQUEUE

if [. -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z
"$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi

exec /usr/local/bin/softlimit -m 20000000 \
/usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c
"$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/usr/local/bin/rblsmtpd -t 10 -r bl.spamcop.net -r zen.spamhaus.org \
/usr/local/bin/greylite /var/qmail/bin/qmail-smtpd 2>&1
# /usr/local/bin/rblsmtpd -t 10 -r rbl.qwestip.net -r
bl.spamcop.net -r zen.spamhaus.org \
#/var/qmail/bin/qmail-smtpd 2>&1
#/usr/local/bin/greylite /var/qmail/bin/qmail-smtpd 2>&1
#/usr/local/bin/fixcrio /var/qmail/bin/qmail-smtpd 2>&1

I will try to kill all the greylite processes instead of rebooting the
server next time
to see if that fixes the 120/120

--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Jason_Haar at trimble

Feb 3, 2012, 8:04 PM

Post #4 of 5 (730 views)
Permalink

Re: tcpserver: status: 120/120 [In reply to]

If you a running Linux, "pstree" or "ps -ejH" can show you all the
processes on your system in a tree structure - really useful for showing
where roadblocks are. e.g. if you see 120 greylite processes - that may
imply that's where the problem is.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

scott.brynen at visioncritical

Feb 3, 2012, 9:46 PM

Post #5 of 5 (726 views)
Permalink

RE: tcpserver: status: 120/120 [In reply to]

do a
#netstat -an
and see where all those connections are coming from.

________________________________________
From: Jason Haar [Jason_Haar [at] trimble]
Sent: Friday, February 03, 2012 20:04
To: Qmail List
Subject: Re: tcpserver: status: 120/120

If you a running Linux, "pstree" or "ps -ejH" can show you all the
processes on your system in a tree structure - really useful for showing
where roadblocks are. e.g. if you see 120 greylite processes - that may
imply that's where the problem is.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads