hi jon Jonathan Pierce wrote: > I'm not certain, but I believe one of my endian firewall boxes has fallen > victim to a SMTP denial of service attack. This box normally gets like [..]
> Does anybody have any suggestions? Will all those messages eventually > time-out, and if so how long? Do you believe this was some sort of Denial > of Service Attack? very interesting problem. since we never had the chance to see such a threat it is refreshingly to see that it does not really affect the rest ot the firewalls features. i believe you had an excessive dictionary attack, but to say exactly what happened i would need more information. however, a huge dictionary attack may produce this problems, since on the firewall there is no possibility to know whether a recipient email address is real or not, it must accept any email and forward it to the intern mail server, which is the only who can bounce the mail if the recipient does not exist. we thought about a solution by doing an ldap lookup for every recipient, but it slows down the entire mail proxy and hence you certainly need the ldap server. at the other hand, configuring each existing recipient address will lead you in an administration nightmare, since you need to configure all twice. in order to solve your problem, you may read this postfix readme: http://www.postfix.org/QSHAPE_README.html this explains pretty good what happens on the mail queues and how to check if a queue is "full" and which sender domains cause the problem. in short, log in and use the qshape tool, this way: qshape deferred it should give you a list with destination domains of emails which reside in the deferred queue, sorted by the number of emails for the respective domain. you may remove all mails from the deferred queue (of a specific recipient address) by using the postsuper command, which is described here: http://www.postfix.org/postsuper.1.html there is also an example how to remove mails of a specific recipient address or deleting the entire deferred queue: postsuper -d ALL deferred it would help us if you can report how you solved the problem, if you manage it to solve it following those documents. so we can easier imagine which future implementation could be useful in order to easily handle such problems, since i noticed that the flush queue button is insufficient. > Thanks so much for a great product... I can't believe how well the > firewall > held up, I didn't even notice any speed difference for http traffic through > the box, or accessing the administration pages on the box throughout the > "attack". [..] you're welcome! thank you for the compliments! peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.it :: [EMAIL PROTECTED] ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Efw-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/efw-user
