Zitat von Tomas Macek <ma...@fortech.cz>:
On Fri, 30 Nov 2012, lst_ho...@kwsoft.de wrote:Zitat von Tomas Macek <ma...@fortech.cz>:On Fri, 30 Nov 2012, lst_ho...@kwsoft.de wrote:Zitat von Tomas Macek <ma...@fortech.cz>:On Fri, 30 Nov 2012, lst_ho...@kwsoft.de wrote:Zitat von Tomas Macek <ma...@fortech.cz>:I don't understand now, how Postfix behaves when listenting on submission port 587. Our mailserver is sometimes overloaded on port 25, so we want to use postscreen. But I don't understand, how Postfix works when it's stressed on port 587, when spammers connect to that opened port and want send their "emails". In document http://www.postfix.org/STRESS_README.html there is:NOTE: To avoid "overload" delays for end-user mail clients, enable the "submission" service entry in master.cf (present since Postfix 2.1), and tell users to connect to this instead of the public SMTP service.Should this mean, that Postfix by default does not use counters like smtpd_hard_error_limit, smtpd_junk_command_limit and maybe others on sumission port? On this port I would prefer using some kind of smtp auth and this port should be world accessible to allow the clients using other networks to authenticate and send emails.Port 587 is by default nothing special for Postfix because it is mostly a clone of the Port 25 service. The *intended* difference is that Port 587 should only accept mail by authenticated users, so no chance for spammers if they don't own valid credentials. To actually see the difference between Port 25 and Port 587 settings you have to compare the entries in master.cf.Regards AndreasOK, so there is a chance for spammers to overload the server using submission port 587 (the server says then "service "smtp" (25) has reached its process limit "200"") by exhausting number of available ports and the MUA clients then can have also problems to send theiremails? I'm I right?The number of available ports is a OS thing, Postfix can be configured in master.cf the not allow more than maxproc-column service processes *per service*. So if you have 200 maxproc for Port 25 and another 200 for Port 587 your OS must be able to handle at least 400 connections (open ports, fds etc.). If 200 are reached at Port 25 Postfix will still accept up until 200 connections on Port 587, but refuses any further connections on Port 25.According to the doc:It works as follows. When a "public" network service such as the SMTP server runs into an "all server ports are busy" condition, the Postfix master(8) daemon logs a warning, restarts the service (without interrupting existing network sessions), and runs the service with "-o stress=yes" on the server process command line:Just see "all server ports are busy": what means the "ports"? Because I experieced the stress=yes at smtpd processes, when just 121 smtpd processes were running that time.So if you have the default max of 100 smtp port 25 service process Postfix will restart the port 25 service with stress=yes to kick in more aggressive timeouts to faster free up processes. This has nothing todo with the service for port 587.There is still one thing, that I don't understand: when exactly the postfix says that he is not stressed and restarts the processes with stress=no? This is not done when less then default_process_limit smtpd processes are run, because I experienced on my system (default_process_limit = 200), that smtpd with stress=yes were run when there were just 121 smtpd's run in total. Strange?
http://www.postfix.org/STRESS_README.html
If I'm, then I don't understand, why to splitthe processes intosubmission 587 and normal 25, because if the MUA client send the mailthrough 25 (hope with postscreen), there is a chance that the 25 is not overloaded (because it uses postscreen) and he will be ratherable to send his email compared to 587. Or I don't still understand something ... :-)No, MUA should use Port 587 and *authentication*. Port 25 is for MTA <---> MTA transfer *without* authentication. It does work to use Port 25 with MUA but it is not recommended these days. Postscreen is able to prevent some spammer connections to actually allocate one of this 200 port 25 processes so the boundery is higher but still applies.AndreasYes, I understand this well and know about it and this is what I want. But don't undrestand howto avoid overloading the server, when spammers will try to connect and send their mails to the port 587. If the Postfix's behaviour on port 587 is the same as with 25, it seems to me to be better to let the MUAs to send their mail to 25. In the postscreen the mynetworks are automatically whitelisted and on 25 they have better chance to send their mails, because 25 should not be overloaded because of postscreen used.Using firewall on 587 is useless, because our clients travel with their computers even around Europe and want to send their mails.There is no benefit for spammers to direct to Port 587 if you only allow authenticated mail submission at that port as you should and there is no widely used "here is my submission port" announcement as it is with port 25 per MX records in DNS. Port 587 has independant settings and limits and is *not* tied to port 25 settings. It is possible that port 587 resources are also tied up because of dictionary attack or DoS but this can be tackled by limiting connections per client and maybe rate limiting by firewall rules.The fact, that 587 is not "published" is not enough, I will try to do more, because I must ensure, that the MUA will be always able to send his email. Otherwise he calls to our call center and bothers the people and then they are bothering me... ;-)
Key point is that Port 587 is not *useful* for spammers, so if you have trouble with Port 587 overload there is someone doing something evil or you have not adjusted your limits to the number of clients to support. The solutions for this kind of problems totaly differ from what Postscreen is designed to do.
You should not use Postscreen for MUA (client submission) because by design Postscreen might refuse a connection with temporary error code which is not liked by MUAs.This is what appears these days to me: the MUA client is refused with 421 - too many errors (I think, I don't remember well), because Postfix has no free smtpd process for him - the server is flood by spammers.But Postscreen should whitelist mynetworks by default right? So just the 4xx temporary error could appear to the out of mynetworks client.
If you have traveling MUAs, mynetworks is of no help at all. The error "421 - too many errors" means the client has done too many (SMTP) errors, this might well be a Postscreen side effect.
Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
