Peter Warasin wrote: > hi jon > > Jonathan Pierce wrote: >> I'm not certain, but I believe one of my endian firewall boxes has fallen >> victim to a SMTP denial of service attack. This box normally gets like > [..] > >> Does anybody have any suggestions? Will all those messages eventually >> time-out, and if so how long? Do you believe this was some sort of Denial >> of Service Attack? > > very interesting problem. since we never had the chance to see such a > threat it is refreshingly to see that it does not really affect the rest > ot the firewalls features. > > i believe you had an excessive dictionary attack, but to say exactly > what happened i would need more information. > > however, a huge dictionary attack may produce this problems, since on > the firewall there is no possibility to know whether a recipient email > address is real or not, it must accept any email and forward it to the > intern mail server, which is the only who can bounce the mail if the > recipient does not exist. > we thought about a solution by doing an ldap lookup for every recipient, > but it slows down the entire mail proxy and hence you certainly need the > ldap server. at the other hand, configuring each existing recipient > address will lead you in an administration nightmare, since you need to > configure all twice. Hi, POSTFIX_ADD_SMTPD_RECIPIENT_RESTRICTIONS=”reject_unverified_recipient” at /etc/sysconfig/postfix and mydomain.com smtp:[IP of the internal server] at etc/postfix/transport should do the job.
bye Christoph > > > in order to solve your problem, you may read this postfix readme: > http://www.postfix.org/QSHAPE_README.html > > this explains pretty good what happens on the mail queues and how to > check if a queue is "full" and which sender domains cause the problem. > > in short, log in and use the qshape tool, this way: > > qshape deferred > > it should give you a list with destination domains of emails which > reside in the deferred queue, sorted by the number of emails for the > respective domain. > > you may remove all mails from the deferred queue (of a specific > recipient address) by using the postsuper command, which is described here: > http://www.postfix.org/postsuper.1.html > > there is also an example how to remove mails of a specific recipient address > > or deleting the entire deferred queue: > > postsuper -d ALL deferred > > > it would help us if you can report how you solved the problem, if you > manage it to solve it following those documents. > so we can easier imagine which future implementation could be useful in > order to easily handle such problems, since i noticed that the flush > queue button is insufficient. > > >> Thanks so much for a great product... I can't believe how well the >> firewall >> held up, I didn't even notice any speed difference for http traffic through >> the box, or accessing the administration pages on the box throughout the >> "attack". > [..] > > you're welcome! thank you for the compliments! > > peter > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Efw-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/efw-user
