On Thu, Dec 09, 2004 at 10:22:24PM -0700, Michael Loftis wrote: > >if you want to see it, look in http://taz.net.au/postfix/scripts/ > > > >it's called watch-maillog.pl > > One little note about that script, the DROP needs to be changed since > basically you're DoSing yourself by hanging a bunch of connections
DoS is a huge exaggeration. a few smtpd processes waiting to timeout does not constitute a DoS. neither does a few dozen. > because you suddenly start dropping their inbound packets while still > 'in-flight' as it were. postfix's default timeouts are about 300s, so > you'll want to turn those down (300s seems too generous to me for most > of them anyway) aside from the DoS exaggeration, that is true, but i don't care....or more accurately, i care more about spammer noise in my logs and the bandwidth that spammers waste. i have more than enough smtpd processes, ram, and cpu power available to cope with a few (or even several dozen) smtpds waiting to time out. i can also cope with the eventual dropped connection messages in the logs - instead of vaguely annoying me like the spam rejects do, they give me a feeling of satisfaction that i have in some small way slowed down the spamware by silently dropping their packets. the first workable fix i can think of is to DROP only smtp packets with SYN set, rather than all smtp packets. alternatively, i could extract the PID of the smtpd process and send it a HUP at the same time as i created the iptables rule. if it ever bothered me, i'd do one or the other....but, as i said, it's not something i care much about. craig ps: watch-maillog.pl is a toy that i wrote for my own amusement. if you like it, run it or adapt it for your own needs. if you don't, then ignore it. i don't claim that it's good software or even that it's useful. i wrote it more as a proof of concept than anything else. pps: it also monitors TLS connection failures and adds them to /etc/postfix/tls_per_site (which doesn't seem to be really necessary now, but they were quite common a few years ago, mainly due to a particularly broken version of communigate) and it does basic pop-before-smtp (dovecot only because that's what i run). these two features are actually useful :) -- craig sanders <[EMAIL PROTECTED]> (part time cyborg) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]