On Fri, Jun 14, 2013 at 06:00:37PM +0200, Simon B wrote:
> On 14 June 2013 17:44, c cc <[email protected]> wrote:
> >
> > Hi,
> >
> > For the last few days, I noticed that our postfix server had crawl to a halt
> > due to some kind of email attack. As you can see below, there were a lot of
> > smtp connections. I was wondering if there is a way to stop this from
> > Postfix? Thanks!
> >
> > /etc/postfix $netstat -plan | grep ':25' | grep ESTAB
> > tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED
> > 17329/smtpd
> > tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED -
> > tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED -
> > tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED
>
> Presumably they are connecting more than once? Fail2ban?
Looks more like a botnet, so the connections may not in fact recur.
I would consider disabling reverse DNS resolution under stress.
Anything that reduces latency in the SMTP server. Also make sure
recipient lookups are fast (SAV and RAV may lead to concurrency
spikes, try to have static sources of recipient information).
Also raise the number of smtpd(8) processes. The postscreen(8)
feature may help, but this is best with Postfix 2.10.0 or so.
--
Viktor.
