date:20200419

Re: [qmailtoaster] SMTPS Port - Who is Failing ?

2020-04-19 Thread Remo Mattei

Hi,
Can you reach the server?  It maybe blocking you. So what does your queue looks 
like?

Here is mine for example:

# qmHandle -L
Messages in local queue: 0
Messages in remote queue: 0

My other server 

# qmHandle -L
10355792 (19, L)
  Return-path: r...@qmailx.com
  From: Anacron 
  To: r...@qmailx.com
  Subject: Anacron job 'cron.daily' on qmailx.com
  Date: 19 Apr 2020 10:28:28 -
  Size: 509 bytes

10358746 (6, L)
  Return-path:
  From: mailer-dae...@qmailxx.com
  To: r...@qmail.com
  Subject: failure notice
  Date: 19 Apr 2020 11:30:30 -
  Size: 1089 bytes

Messages in local queue: 2
Messages in remote queue: 0

Just wonder it looks that you are using the SMTPs 465, did you try the 587 
Submission that address and see if it goes?
Just wonder if this is tight to that service. 

Maybe none of the above but just for troubleshooting steps, I would try that. 

Remo 


> On Apr 19, 2020, at 22:11, David Bray  wrote:
> 
> Ok - but after all the investigation etc, this is actually the trigger which 
> caught my eye in the first place
> 
> How this comes about is:
> User say hey I can't send
> I look and see this high CPU load and intermittent failures for client to send
> Any thoughts on where to start looking ..
> 
> 
> 
> 
> my smtp/smtps are currently 10/11 connections
> 
> 
> ==> /var/log/qmail/smtp/current <==
> 2020-04-20 05:07:50.207299500 tcpserver: end 29699 status 0
> 2020-04-20 05:07:50.207300500 tcpserver: status: 0/60
> 
> ==> /var/log/qmail/smtps/current <==
> 2020-04-20 05:07:54.903665500 tcpserver: status: 9/60
> 2020-04-20 05:07:54.936654500 tcpserver: pid 29725 from 185.50.149.5
> 2020-04-20 05:07:54.936655500 tcpserver: ok 29725 
> dev.brayworth.com:172.105.181.18:465 :185.50.149.5::5622
> 2020-04-20 05:08:00.108657500 tcpserver: status: 10/60
> 2020-04-20 05:08:00.152909500 tcpserver: pid 29734 from 185.50.149.5
> 2020-04-20 05:08:00.152910500 tcpserver: ok 29734 
> dev.brayworth.com:172.105.181.18:465 :185.50.149.5::62006
> 2020-04-20 05:08:05.172650500 tcpserver: status: 11/60
> 2020-04-20 05:08:05.208983500 tcpserver: pid 29740 from 185.50.149.5
> 2020-04-20 05:08:05.208984500 tcpserver: ok 29740 
> dev.brayworth.com:172.105.181.18:465 :185.50.149.5::19686
> 2020-04-20 05:08:13.601336500 tcpserver: end 29690 status 256
> 2020-04-20 05:08:13.601337500 tcpserver: status: 10/60
> 
> David Bray
> 0418 745334
> 2 ∞ & <
> 
> 
> On Sun, 19 Apr 2020 at 10:04, David Bray  > wrote:
> Thanks Eric
> 
> It's hard to track things but I think I have had success monitoring the 
> /var/log/maillog
> 
> I'm not sure why I didn't pick this up earlier, I'm already using the 
> fail2ban suggestion of the older qmailtoaster wiki 
> (http://wiki.qmailtoaster.com/index.php/Fail2Ban 
> ), actually had a rule to 
> process it and have expanded on this now
> 
> I've been running email servers most of my working life and still get tripped 
> up by simple stuff
> 
> Thank for your efforts in this area, it helps to talk things out
> 
> cheers
> 
> David Bray
> 0418 745334
> 2 ∞ & <
> 
> 
> On Sun, 19 Apr 2020 at 01:12, Eric Broch  > wrote:
> It looks like a connect and disconnect. If there was authentication you'd see 
> it. I don't think you have anything to worry about here. I'm not saying 
> there's not some jerk out there messing with your smtps...just saying it may 
> be harmless. That said, do you have a good firewall in place that prevents 
> DOS attacks. I use Sonicwall myself but you can do the same thing as others 
> have shown with iptables.
> 
> Does anyone know how to do the same with the stock firewalld on COS7/8?
> 
> On 4/17/2020 11:49 PM, David Bray wrote:
>> sure - thanks for replying, this comes in waves taking the server to it's 
>> maximum at times
>> 
>> as far as I can see this only logs are this:
>> 
>> ==> /var/log/qmail/smtps/current <==
>> 2020-04-18 05:04:48.450871500 tcpserver: status: 6/60
>> 2020-04-18 05:04:48.480785500 tcpserver: pid 13339 from 141.98.80.30
>> 2020-04-18 05:04:48.480787500 tcpserver: ok 13339 
>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::25638
>> 2020-04-18 05:04:52.797644500 tcpserver: status: 7/60
>> 2020-04-18 05:04:52.830767500 tcpserver: pid 13340 from 141.98.80.30
>> 2020-04-18 05:04:52.830768500 tcpserver: ok 13340 
>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::14862
>> 2020-04-18 05:04:57.248902500 tcpserver: status: 8/60
>> 2020-04-18 05:04:57.304003500 tcpserver: pid 13342 from 141.98.80.30
>> 2020-04-18 05:04:57.304006500 tcpserver: ok 13342 
>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::9646
>> 2020-04-18 05:05:01.854790500 tcpserver: status: 9/60
>> 2020-04-18 05:05:01.902265500 tcpserver: pid 13345 from 141.98.80.30
>> 2020-04-18 05:05:01.902266500 tcpserver: ok 13345 
>> dev.brayworth.com:172.105.181.18:465 :141.98.80.30::54058
>> 2020-04-18 05:05:09.729711500 tcpserver: end 13338

Re: [qmailtoaster] SMTPS Port - Who is Failing ?

2020-04-19 Thread David Bray

Ok - but after all the investigation etc, this is actually the trigger
which caught my eye in the first place

How this comes about is:

   1. User say hey I can't send
   2. I look and see this high CPU load and intermittent failures for
   client to send

Any thoughts on where to start looking ..


[image: image.png]

my smtp/smtps are currently *10*/11 connections


==> /var/log/qmail/smtp/current <==
2020-04-20 05:07:50.207299500 tcpserver: end 29699 status 0
2020-04-20 05:07:50.207300500 tcpserver: status: 0/60

==> /var/log/qmail/smtps/current <==
2020-04-20 05:07:54.903665500 tcpserver: status: 9/60
2020-04-20 05:07:54.936654500 tcpserver: pid 29725 from 185.50.149.5
2020-04-20 05:07:54.936655500 tcpserver: ok 29725
dev.brayworth.com:172.105.181.18:465
:185.50.149.5::5622
2020-04-20 05:08:00.108657500 tcpserver: status: 10/60
2020-04-20 05:08:00.152909500 tcpserver: pid 29734 from 185.50.149.5
2020-04-20 05:08:00.152910500 tcpserver: ok 29734
dev.brayworth.com:172.105.181.18:465
:185.50.149.5::62006
2020-04-20 05:08:05.172650500 tcpserver: status: *11*/60
2020-04-20 05:08:05.208983500 tcpserver: pid 29740 from 185.50.149.5
2020-04-20 05:08:05.208984500 tcpserver: ok 29740
dev.brayworth.com:172.105.181.18:465
:185.50.149.5::19686
2020-04-20 05:08:13.601336500 tcpserver: end 29690 status 256
2020-04-20 05:08:13.601337500 tcpserver: status: 10/60

David Bray
0418 745334
2 ∞ & <


On Sun, 19 Apr 2020 at 10:04, David Bray  wrote:

> Thanks Eric
>
> It's hard to track things but I think I have had success monitoring the
> /var/log/maillog
>
> I'm not sure why I didn't pick this up earlier, I'm already using the
> fail2ban suggestion of the older qmailtoaster wiki (
> http://wiki.qmailtoaster.com/index.php/Fail2Ban), actually had a rule to
> process it and have expanded on this now
>
> I've been running email servers most of my working life and still get
> tripped up by simple stuff
>
> Thank for your efforts in this area, it helps to talk things out
>
> cheers
>
> David Bray
> 0418 745334
> 2 ∞ & <
>
>
> On Sun, 19 Apr 2020 at 01:12, Eric Broch  wrote:
>
>> It looks like a connect and disconnect. If there was authentication you'd
>> see it. I don't think you have anything to worry about here. I'm not saying
>> there's not some jerk out there messing with your smtps...just saying it
>> may be harmless. That said, do you have a good firewall in place that
>> prevents DOS attacks. I use Sonicwall myself but you can do the same thing
>> as others have shown with iptables.
>>
>> Does anyone know how to do the same with the stock firewalld on COS7/8?
>> On 4/17/2020 11:49 PM, David Bray wrote:
>>
>> sure - thanks for replying, this comes in waves taking the server to it's
>> maximum at times
>>
>> as far as I can see this only logs are this:
>>
>> ==> /var/log/qmail/smtps/current <==
>> 2020-04-18 05:04:48.450871500 tcpserver: status: 6/60
>> 2020-04-18 05:04:48.480785500 tcpserver: pid 13339 from 141.98.80.30
>> 2020-04-18 05:04:48.480787500 tcpserver: ok 13339 
>> dev.brayworth.com:172.105.181.18:465
>> :141.98.80.30::25638
>> 2020-04-18 05:04:52.797644500 tcpserver: status: 7/60
>> 2020-04-18 05:04:52.830767500 tcpserver: pid 13340 from 141.98.80.30
>> 2020-04-18 05:04:52.830768500 tcpserver: ok 13340 
>> dev.brayworth.com:172.105.181.18:465
>> :141.98.80.30::14862
>> 2020-04-18 05:04:57.248902500 tcpserver: status: 8/60
>> 2020-04-18 05:04:57.304003500 tcpserver: pid 13342 from 141.98.80.30
>> 2020-04-18 05:04:57.304006500 tcpserver: ok 13342 
>> dev.brayworth.com:172.105.181.18:465
>> :141.98.80.30::9646
>> 2020-04-18 05:05:01.854790500 tcpserver: status: 9/60
>> 2020-04-18 05:05:01.902265500 tcpserver: pid 13345 from 141.98.80.30
>> 2020-04-18 05:05:01.902266500 tcpserver: ok 13345 
>> dev.brayworth.com:172.105.181.18:465
>> :141.98.80.30::54058
>> 2020-04-18 05:05:09.729711500 tcpserver: end 13338 status 256
>> 2020-04-18 05:05:09.729713500 tcpserver: status: 8/60
>> 2020-04-18 05:06:05.965715500 tcpserver: end 13342 status 256
>> 2020-04-18 05:06:05.965716500 tcpserver: status: 7/60
>> 2020-04-18 05:06:06.141272500 tcpserver: end 13340 status 256
>> 2020-04-18 05:06:06.141273500 tcpserver: status: 6/60
>>
>> David Bray
>> 0418 745334
>> 2 ∞ & <
>>
>>
>> On Sat, 18 Apr 2020 at 15:41, Eric Broch  wrote:
>>
>>> Can you send the log of one of the "bad" connections?
>>>
>>> On 4/17/2020 10:59 PM, David Bray wrote:
>>>
>>> I can see I'm getting hammered on my smtps port
>>>
>>> How can I mitigate this?
>>>
>>> I can see the IP's in /var/log/qmail/smtps/current
>>>
>>> *but where do I actually see that the smtp auth actually fails ?*
>>>
>>> or do I need to increase the logging somewhere ?
>>>
>>> if I tail -f /var/log/dovecot.log
>>>
>>> I can see the imap and pop failures
>>>
>>> thanks in advance
>>>
>>> David Bray
>>> 0418 745334
>>> 2 ∞ & <
>>>
>>>

Re: [qmailtoaster] SMTPS Port - Who is Failing ?

Re: [qmailtoaster] SMTPS Port - Who is Failing ?

2 matches

Site Navigation

Mail list logo

Footer information