I will give more suggestions in the morning time for bed. 

> Il giorno 19 apr 2020, alle ore 23:13, David Bray <da...@brayworth.com.au> ha 
> scritto:
> 
> 
> Hey thanks Remo
> smtps is an inbound port, they are contacting me - this IP is in Russia 
> somewhere - so do I want to engage (perhaps, probably not but ..)
> 
> I could of course block that IP - but that doesn't help, I'd have to block 
> endless IPs
> 
> I'd like to know what's taking the CPU load, in theory they should be 
> connecting, supplying a password (perhaps) and sending data
> but, there are sometimes bad passwords (2 for the 20th recorded in maillog)
> 
> So..
> What are they doing the other times and why is it taking so much CPU - if it 
> is just a port knock, why the CPU
> 
> I need to be able to say, they are bad because ... what is the because ?
> 
> David Bray
> 0418 745334
> 2 ∞ & <
> 
> 
>> On Mon, 20 Apr 2020 at 15:32, Remo Mattei <r...@mattei.org> wrote:
>> Hi,
>> Can you reach the server?  It maybe blocking you. So what does your queue 
>> looks like?
>> 
>> Here is mine for example:
>> 
>> # qmHandle -L
>> Messages in local queue: 0
>> Messages in remote queue: 0
>> 
>> My other server 
>> 
>> # qmHandle -L
>> 10355792 (19, L)
>>   Return-path: r...@qmailxxxxx.com
>>   From: Anacron <r...@qmailxxxx.com>
>>   To: r...@qmailxxxxx.com
>>   Subject: Anacron job 'cron.daily' on qmailxxxxx.com
>>   Date: 19 Apr 2020 10:28:28 -0000
>>   Size: 509 bytes
>> 
>> 10358746 (6, L)
>>   Return-path:
>>   From: mailer-dae...@qmailxxxxxx.com
>>   To: r...@qmailxxxxxxxx.com
>>   Subject: failure notice
>>   Date: 19 Apr 2020 11:30:30 -0000
>>   Size: 1089 bytes
>> 
>> Messages in local queue: 2
>> Messages in remote queue: 0
>> 
>> Just wonder it looks that you are using the SMTPs 465, did you try the 587 
>> Submission that address and see if it goes?
>> Just wonder if this is tight to that service. 
>> 
>> Maybe none of the above but just for troubleshooting steps, I would try 
>> that. 
>> 
>> Remo 
>> 
>> 
>>> On Apr 19, 2020, at 22:11, David Bray <da...@brayworth.com.au> wrote:
>>> 
>>> Ok - but after all the investigation etc, this is actually the trigger 
>>> which caught my eye in the first place
>>> 
>>> How this comes about is:
>>> User say hey I can't send
>>> I look and see this high CPU load and intermittent failures for client to 
>>> send
>>> Any thoughts on where to start looking ..
>>> 
>>> 
>>> <image.png>
>>> 
>>> my smtp/smtps are currently 10/11 connections
>>> 
>>> 
>>> ==> /var/log/qmail/smtp/current <==
>>> 2020-04-20 05:07:50.207299500 tcpserver: end 29699 status 0
>>> 2020-04-20 05:07:50.207300500 tcpserver: status: 0/60
>>> 
>>> ==> /var/log/qmail/smtps/current <==
>>> 2020-04-20 05:07:54.903665500 tcpserver: status: 9/60
>>> 2020-04-20 05:07:54.936654500 tcpserver: pid 29725 from 185.50.149.5
>>> 2020-04-20 05:07:54.936655500 tcpserver: ok 29725 
>>> dev.brayworth.com:172.105.181.18:465 :185.50.149.5::5622
>>> 2020-04-20 05:08:00.108657500 tcpserver: status: 10/60
>>> 2020-04-20 05:08:00.152909500 tcpserver: pid 29734 from 185.50.149.5
>>> 2020-04-20 05:08:00.152910500 tcpserver: ok 29734 
>>> dev.brayworth.com:172.105.181.18:465 :185.50.149.5::62006
>>> 2020-04-20 05:08:05.172650500 tcpserver: status: 11/60
>>> 2020-04-20 05:08:05.208983500 tcpserver: pid 29740 from 185.50.149.5
>>> 2020-04-20 05:08:05.208984500 tcpserver: ok 29740 
>>> dev.brayworth.com:172.105.181.18:465 :185.50.149.5::19686
>>> 2020-04-20 05:08:13.601336500 tcpserver: end 29690 status 256
>>> 2020-04-20 05:08:13.601337500 tcpserver: status: 10/60
>>> 
>>> David Bray
>>> 0418 745334
>>> 2 ∞ & <
>>> 
>>> 
>>>> On Sun, 19 Apr 2020 at 10:04, David Bray <da...@brayworth.com.au> wrote:
>>>> Thanks Eric
>>>> 
>>>> It's hard to track things but I think I have had success monitoring the 
>>>> /var/log/maillog
>>>> 
>>>> I'm not sure why I didn't pick this up earlier, I'm already using the 
>>>> fail2ban suggestion of the older qmailtoaster wiki 
>>>> (http://wiki.qmailtoaster.com/index.php/Fail2Ban), actually had a rule to 
>>>> process it and have expanded on this now
>>>> 
>>>> I've been running email servers most of my working life and still get 
>>>> tripped up by simple stuff
>>>> 
>>>> Thank for your efforts in this area, it helps to talk things out
>>>> 
>>>> cheers
>>>> 
>>>> David Bray
>>>> 0418 745334
>>>> 2 ∞ & <
>>>> 
>>>> 
>>>>> On Sun, 19 Apr 2020 at 01:12, Eric Broch <ebr...@whitehorsetc.com> wrote:
>>>>> It looks like a connect and disconnect. If there was authentication you'd 
>>>>> see it. I don't think you have anything to worry about here. I'm not 
>>>>> saying there's not some jerk out there messing with your smtps...just 
>>>>> saying it may be harmless. That said, do you have a good firewall in 
>>>>> place that prevents DOS attacks. I use Sonicwall myself but you can do 
>>>>> the same thing as others have shown with iptables.
>>>>> 
>>>>> Does anyone know how to do the same with the stock firewalld on COS7/8?
>>>>> 
>>>>> On 4/17/2020 11:49 PM, David Bray wrote:
>>>>>> sure - thanks for replying, this comes in waves taking the server to 
>>>>>> it's maximum at times
>>>>>> 
>>>>>> as far as I can see this only logs are this:
>>>>>> 
>>>>>> ==> /var/log/qmail/smtps/current <==
>>>>>> 2020-04-18 05:04:48.450871500 tcpserver: status: 6/60
>>>>>> 2020-04-18 05:04:48.480785500 tcpserver: pid 13339 from 141.98.80.30
>>>>>> 2020-04-18 05:04:48.480787500 tcpserver: ok 13339 
>>>>>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::25638
>>>>>> 2020-04-18 05:04:52.797644500 tcpserver: status: 7/60
>>>>>> 2020-04-18 05:04:52.830767500 tcpserver: pid 13340 from 141.98.80.30
>>>>>> 2020-04-18 05:04:52.830768500 tcpserver: ok 13340 
>>>>>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::14862
>>>>>> 2020-04-18 05:04:57.248902500 tcpserver: status: 8/60
>>>>>> 2020-04-18 05:04:57.304003500 tcpserver: pid 13342 from 141.98.80.30
>>>>>> 2020-04-18 05:04:57.304006500 tcpserver: ok 13342 
>>>>>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::9646
>>>>>> 2020-04-18 05:05:01.854790500 tcpserver: status: 9/60
>>>>>> 2020-04-18 05:05:01.902265500 tcpserver: pid 13345 from 141.98.80.30
>>>>>> 2020-04-18 05:05:01.902266500 tcpserver: ok 13345 
>>>>>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::54058
>>>>>> 2020-04-18 05:05:09.729711500 tcpserver: end 13338 status 256
>>>>>> 2020-04-18 05:05:09.729713500 tcpserver: status: 8/60
>>>>>> 2020-04-18 05:06:05.965715500 tcpserver: end 13342 status 256
>>>>>> 2020-04-18 05:06:05.965716500 tcpserver: status: 7/60
>>>>>> 2020-04-18 05:06:06.141272500 tcpserver: end 13340 status 256
>>>>>> 2020-04-18 05:06:06.141273500 tcpserver: status: 6/60
>>>>>> 
>>>>>> David Bray
>>>>>> 0418 745334
>>>>>> 2 ∞ & <
>>>>>> 
>>>>>> 
>>>>>> On Sat, 18 Apr 2020 at 15:41, Eric Broch <ebr...@whitehorsetc.com> wrote:
>>>>>>> Can you send the log of one of the "bad" connections?
>>>>>>> 
>>>>>>>> On 4/17/2020 10:59 PM, David Bray wrote:
>>>>>>>> I can see I'm getting hammered on my smtps port
>>>>>>>> 
>>>>>>>> How can I mitigate this?
>>>>>>>> 
>>>>>>>> I can see the IP's in /var/log/qmail/smtps/current
>>>>>>>> 
>>>>>>>> but where do I actually see that the smtp auth actually fails ?
>>>>>>>> 
>>>>>>>> or do I need to increase the logging somewhere ?
>>>>>>>> 
>>>>>>>> if I tail -f /var/log/dovecot.log
>>>>>>>> 
>>>>>>>> I can see the imap and pop failures
>>>>>>>> 
>>>>>>>> thanks in advance
>>>>>>>> 
>>>>>>>> David Bray
>>>>>>>> 0418 745334
>>>>>>>> 2 ∞ & <
>> 
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to