Ok - but after all the investigation etc, this is actually the trigger which caught my eye in the first place
How this comes about is: 1. User say hey I can't send 2. I look and see this high CPU load and intermittent failures for client to send Any thoughts on where to start looking .. [image: image.png] my smtp/smtps are currently *10*/11 connections ==> /var/log/qmail/smtp/current <== 2020-04-20 05:07:50.207299500 tcpserver: end 29699 status 0 2020-04-20 05:07:50.207300500 tcpserver: status: 0/60 ==> /var/log/qmail/smtps/current <== 2020-04-20 05:07:54.903665500 tcpserver: status: 9/60 2020-04-20 05:07:54.936654500 tcpserver: pid 29725 from 185.50.149.5 2020-04-20 05:07:54.936655500 tcpserver: ok 29725 dev.brayworth.com:172.105.181.18:465 :185.50.149.5::5622 2020-04-20 05:08:00.108657500 tcpserver: status: 10/60 2020-04-20 05:08:00.152909500 tcpserver: pid 29734 from 185.50.149.5 2020-04-20 05:08:00.152910500 tcpserver: ok 29734 dev.brayworth.com:172.105.181.18:465 :185.50.149.5::62006 2020-04-20 05:08:05.172650500 tcpserver: status: *11*/60 2020-04-20 05:08:05.208983500 tcpserver: pid 29740 from 185.50.149.5 2020-04-20 05:08:05.208984500 tcpserver: ok 29740 dev.brayworth.com:172.105.181.18:465 :185.50.149.5::19686 2020-04-20 05:08:13.601336500 tcpserver: end 29690 status 256 2020-04-20 05:08:13.601337500 tcpserver: status: 10/60 David Bray 0418 745334 2 ∞ & < On Sun, 19 Apr 2020 at 10:04, David Bray <da...@brayworth.com.au> wrote: > Thanks Eric > > It's hard to track things but I think I have had success monitoring the > /var/log/maillog > > I'm not sure why I didn't pick this up earlier, I'm already using the > fail2ban suggestion of the older qmailtoaster wiki ( > http://wiki.qmailtoaster.com/index.php/Fail2Ban), actually had a rule to > process it and have expanded on this now > > I've been running email servers most of my working life and still get > tripped up by simple stuff > > Thank for your efforts in this area, it helps to talk things out > > cheers > > David Bray > 0418 745334 > 2 ∞ & < > > > On Sun, 19 Apr 2020 at 01:12, Eric Broch <ebr...@whitehorsetc.com> wrote: > >> It looks like a connect and disconnect. If there was authentication you'd >> see it. I don't think you have anything to worry about here. I'm not saying >> there's not some jerk out there messing with your smtps...just saying it >> may be harmless. That said, do you have a good firewall in place that >> prevents DOS attacks. I use Sonicwall myself but you can do the same thing >> as others have shown with iptables. >> >> Does anyone know how to do the same with the stock firewalld on COS7/8? >> On 4/17/2020 11:49 PM, David Bray wrote: >> >> sure - thanks for replying, this comes in waves taking the server to it's >> maximum at times >> >> as far as I can see this only logs are this: >> >> ==> /var/log/qmail/smtps/current <== >> 2020-04-18 05:04:48.450871500 tcpserver: status: 6/60 >> 2020-04-18 05:04:48.480785500 tcpserver: pid 13339 from 141.98.80.30 >> 2020-04-18 05:04:48.480787500 tcpserver: ok 13339 >> dev.brayworth.com:172.105.181.18:465 >> :141.98.80.30::25638 >> 2020-04-18 05:04:52.797644500 tcpserver: status: 7/60 >> 2020-04-18 05:04:52.830767500 tcpserver: pid 13340 from 141.98.80.30 >> 2020-04-18 05:04:52.830768500 tcpserver: ok 13340 >> dev.brayworth.com:172.105.181.18:465 >> :141.98.80.30::14862 >> 2020-04-18 05:04:57.248902500 tcpserver: status: 8/60 >> 2020-04-18 05:04:57.304003500 tcpserver: pid 13342 from 141.98.80.30 >> 2020-04-18 05:04:57.304006500 tcpserver: ok 13342 >> dev.brayworth.com:172.105.181.18:465 >> :141.98.80.30::9646 >> 2020-04-18 05:05:01.854790500 tcpserver: status: 9/60 >> 2020-04-18 05:05:01.902265500 tcpserver: pid 13345 from 141.98.80.30 >> 2020-04-18 05:05:01.902266500 tcpserver: ok 13345 >> dev.brayworth.com:172.105.181.18:465 >> :141.98.80.30::54058 >> 2020-04-18 05:05:09.729711500 tcpserver: end 13338 status 256 >> 2020-04-18 05:05:09.729713500 tcpserver: status: 8/60 >> 2020-04-18 05:06:05.965715500 tcpserver: end 13342 status 256 >> 2020-04-18 05:06:05.965716500 tcpserver: status: 7/60 >> 2020-04-18 05:06:06.141272500 tcpserver: end 13340 status 256 >> 2020-04-18 05:06:06.141273500 tcpserver: status: 6/60 >> >> David Bray >> 0418 745334 >> 2 ∞ & < >> >> >> On Sat, 18 Apr 2020 at 15:41, Eric Broch <ebr...@whitehorsetc.com> wrote: >> >>> Can you send the log of one of the "bad" connections? >>> >>> On 4/17/2020 10:59 PM, David Bray wrote: >>> >>> I can see I'm getting hammered on my smtps port >>> >>> How can I mitigate this? >>> >>> I can see the IP's in /var/log/qmail/smtps/current >>> >>> *but where do I actually see that the smtp auth actually fails ?* >>> >>> or do I need to increase the logging somewhere ? >>> >>> if I tail -f /var/log/dovecot.log >>> >>> I can see the imap and pop failures >>> >>> thanks in advance >>> >>> David Bray >>> 0418 745334 >>> 2 ∞ & < >>> >>>