Thanks I'll try to figure it out,
In case you have more time to help,
No chroot
[root@mail4 log]# head -n12 /etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
I didn't pick an hour that's all that was in the file before log rotation of
the maillog file.
I'm confused what i said that led you to think this?
Perhaps most of the 166 arrived during the first few minutes???
The user is simply connecting and disconnecting repeatedly. I think the
question is why ?
I want to make sure Postfix is no way involved with why client is connecting
and disconnecting constantly.
I appreciate your patience.
[root@mail4 log]# cat maillog-20180829 |grep 137.99.149.148 |grep -v disconnect
|grep -v submission|grep connect
Aug 28 09:22:43 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:23:06 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:23:12 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:23:17 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:23:28 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:23:39 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:24:02 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:24:43 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:24:55 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:25:06 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:25:29 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:25:51 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:26:02 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:26:38 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:27:10 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:31:37 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:31:54 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:32:16 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:32:31 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:32:42 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:32:53 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:33:06 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:33:21 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:33:43 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:33:58 mail4 postfix/smtpd[16828]: connect from unknown[137.99.149.148]
Aug 28 09:34:24 mail4 postfix/smtpd[17119]: connect from unknown[137.99.149.148]
Aug 28 09:34:35 mail4 postfix/smtpd[17119]: connect from unknown[137.99.149.148]
Aug 28 09:34:56 mail4 postfix/smtpd[17172]: connect from unknown[137.99.149.148]
Aug 28 09:35:02 mail4 postfix/smtpd[17191]: connect from unknown[137.99.149.148]
Aug 28 09:35:25 mail4 postfix/smtpd[17218]: connect from unknown[137.99.149.148]
Aug 28 09:35:42 mail4 postfix/smtpd[17218]: connect from unknown[137.99.149.148]
Aug 28 09:35:53 mail4 postfix/smtpd[17218]: connect from unknown[137.99.149.148]
Aug 28 09:36:05 mail4 postfix/smtpd[17218]: connect from unknown[137.99.149.148]
Aug 28 09:36:21 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:37:01 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:37:36 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:37:47 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:38:15 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:38:42 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:38:52 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:39:03 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:39:43 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:39:59 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:40:03 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:40:09 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:40:15 mail4 postfix/smtpd[17564]: connect from unknown[137.99.149.148]
Aug 28 09:40:36 mail4 postfix/smtpd[17564]: connect from unknown[137.99.149.148]
Aug 28 09:40:55 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:41:06 mail4 postfix/smtpd[17564]: connect from unknown[137.99.149.148]
Aug 28 09:41:22 mail4 postfix/smtpd[17275]: connect from unknown[137.99.149.148]
Aug 28 09:41:50 mail4 postfix/smtpd[17645]: connect from unknown[137.99.149.148]
Aug 28 09:42:00 mail4 postfix/smtpd[17659]: connect from unknown[137.99.149.148]
Aug 28 09:42:40 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:43:10 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:43:27 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:43:45 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:44:01 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:44:43 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:45:07 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:45:39 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:45:54 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:46:04 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:46:20 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:46:38 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:47:11 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:47:28 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:47:45 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:47:57 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:48:37 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:49:06 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:49:18 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:49:30 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:49:46 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:50:13 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:50:27 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:50:59 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:51:14 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:51:26 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:51:41 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:51:59 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:52:24 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:52:36 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:52:53 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:53:04 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:53:15 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:53:32 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:53:50 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:54:02 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:54:21 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:54:39 mail4 postfix/smtpd[17743]: connect from unknown[137.99.149.148]
Aug 28 09:54:44 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:59:42 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 09:59:57 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:00:03 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:00:14 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:00:30 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:00:51 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:01:07 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:01:43 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:02:29 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:02:55 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:03:29 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:03:40 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:03:51 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:04:10 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:04:27 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:04:43 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:05:04 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:05:19 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:05:41 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:05:53 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:06:04 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:06:22 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:06:32 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:06:50 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:06:57 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:07:08 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:07:29 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:07:56 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:08:13 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:09:39 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:10:07 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:10:32 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:10:47 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:10:59 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:11:12 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:11:33 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:11:48 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:12:06 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:13:03 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:13:08 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:13:29 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:13:41 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:13:56 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:14:02 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:14:17 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:14:23 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:14:33 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:14:51 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:15:23 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:15:44 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:15:59 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:16:10 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:16:37 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:16:59 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:17:17 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:17:44 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:18:06 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:18:17 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:18:38 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:19:15 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:19:35 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:19:46 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:19:56 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:20:13 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:20:26 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:20:41 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:20:58 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:21:14 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:21:25 mail4 postfix/smtpd[17739]: connect from unknown[137.99.149.148]
Aug 28 10:21:36 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:21:45 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:22:11 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
Aug 28 10:22:20 mail4 postfix/smtpd[19099]: connect from unknown[137.99.149.148]
-ANGELO FAZZINA
ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail
ang...@uconn.edu
University of Connecticut, ITS, SSG, Server Systems
860-486-9075
-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On
Behalf Of Viktor Dukhovni
Sent: Wednesday, August 29, 2018 1:00 PM
To: Postfix users <postfix-users@postfix.org>
Subject: Re: Want to be sure i am not throttling user.
> On Aug 29, 2018, at 12:19 PM, Fazzina, Angelo <angelo.fazz...@uconn.edu>
> wrote:
>
> In answer to: "I get a quick NXDOMAIN. Is that also true for your mail
> server?"
> Yes i get the same results when i do a "dig -x 137.99.149.148" or
> "nslookup 137.99.149.148"
Are you doing the test on the MTA, or a nearby machine? As "root", or as the
"postfix" user?
Is the Postfix smtpd(8) service the user is connecting to chrooted? Look
carefully at the
relevant master.cf entries. If chrooted, check for a working etc/resolv.conf
in the chroot
jail (queue_directory).
> My response to the user has always been it is the client that is sending
> slow, i am just learning how to prove it with my logs.
> I also noticed the repeated new connections, but always blamed the client for
> doing that and not holding onto the connection, and send multiple emails.
Though a new connection for each message is less efficient, it should not be
prohibitively so,
the user should still be able to send O(10) messages per second. Not O(10s)
per message.
> I take this literally "disconnect from unknown[137.99.149.148]" and not that
> Postfix disconnected from the client, but the client disconnected from
> Postfix server.
Yes, the client sends "QUIT" and disconnects.
> In answer to : "How many messages were sent by that user during a sustained
> transmission window."
> "What was the arrival rate? Did it change over that window?"
>
> My claim that i am trying to prove is there is no "sustained
> transmission window" hence the constant connect and disconnect seen in the
> logs.
A sustained transmission window is a period of time during which the client is
actively sending a batch of mail.
> This is what i saw in the logs,
> start = 2018-08-28-09:22:43
> 166 emails sent on mail4
> end = 2018-08-28-10:22:20
166 messages per hour is rather slow. Was this a sustained batch,
or did you arbitrarily choose an hour. Perhaps most of the 166
arrived during the first few minutes??? You need to aggregate
the deliveries by the arrival minute and look at a histogram
of messages per minute.
This is a data analysis problem, you should be able to figure it out,
by rolling up your sleeves and looking carefully at the data. You
may also need PCAP files for the next file this user sends a batch
of mail, so you can see what happens after TCP connection setup.
--
Viktor.
