[qmailtoaster] Re: Fail2ban and vpopmail
Sergio M escribió: [from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail] enabled = true port = pop3 filter = vpopmail action = iptables[name=pop3, port=pop3, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 604800 findtime = 3600 [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=25, protocol=tcp] logpath = /var/log/maillog maxretry = 2 bantime = 604800 findtime = 3600 *** vpopmail-fail.conf *** [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = *** vpopmail.conf *** [Definition] failregex = vchkpw-pop3: vpopmail user not found .*@:HOST ignoreregex = Setup being said, I get lots of hits for the vpopmail-fail jail: # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list:/var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 Not surprisingly, many of them are brazilian IPs. However, check this out: # date Wed Mar 2 10:27:09 ART 2011 tail /var/log/qmail/smtp/current -F | tai64nlocal 2011-03-02 10:22:49.480688500 tcpserver: end 14729 status 0 2011-03-02 10:22:49.480691500 tcpserver: status: 24/25 2011-03-02 10:22:49.480714500 tcpserver: status: 25/25 2011-03-02 10:22:49.480917500 tcpserver: pid 15808 from 187.4.200.17 2011-03-02 10:22:49.481000500 tcpserver: ok 15808 mail.domain.com.ar:11.22.33.44:25 :187.4.200.17::3220 2011-03-02 10:26:29.551470500 tcpserver: end 15477 status 0 2011-03-02 10:26:29.551473500 tcpserver: status: 24/25 2011-03-02 10:26:29.551502500 tcpserver: status: 25/25 2011-03-02 10:26:29.551726500 tcpserver: pid 16348 from 186.191.158.84 2011-03-02 10:26:29.631488500 tcpserver: ok 16348 mail.domain.com.ar:11.22.33.44:25 :186.191.158.84::59586 Look at the speed of my smtp session log!! Like 2 entries in 4 minutes! I tried qmailctl stop/start several times, and no msgs in queue (checked with qmHandle -l) Without fail2ban, it kept at 25 of 25 but just keep flowing. Any ideas? Thanks! -Sergio Forgot to mention that its creating this in iptables: Chain fail2ban-SMTP (1 references) pkts bytes target prot opt in out source destination 9 384 DROP all -- * * 81.45.219.82 0.0.0.0/0 10 478 DROP all -- * * 190.179.80.9 0.0.0.0/0 9 384 DROP all -- * * 200.144.5.57 0.0.0.0/0 5 212 DROP all -- * * 200.168.49.43 0.0.0.0/0 11 524 DROP all -- * * 200.45.250.178 0.0.0.0/0 10 478 DROP all -- * * 200.174.158.18 0.0.0.0/0 11 521 DROP all -- * * 82.184.45.210 0.0.0.0/0 8 380 DROP all -- * * 189.16.28.34 0.0.0.0/0 12 576 DROP all -- * * 187.52.10.144 0.0.0.0/0 11 470 DROP all -- * * 189.19.225.45 0.0.0.0/0 10 424 DROP all -- * * 189.83.13.110 0.0.0.0/0 11 470 DROP all -- * * 186.125.100.82 0.0.0.0/0 12 576 DROP all -- * * 62.28.171.213 0.0.0.0/0 11 470 DROP all -- * * 201.43.250.172 0.0.0.0/0 12 576 DROP all -- * * 187.65.76.33 0.0.0.0/0 12 576 DROP all -- * * 190.71.218.173 0.0.0.0/0 11 470 DROP all -- * * 189.51.133.83 0.0.0.0/0 11 470 DROP all -- * * 187.35.140.15 0.0.0.0/0 11 470 DROP all -- * * 186.213.97.210 0.0.0.0/0 11 470 DROP all -- * * 186.212.0.15 0.0.0.0/0 11 470 DROP all -- * * 83.43.131.102 0.0.0.0/0 17 758 DROP all -- * * 187.45.22.194 0.0.0.0/0 286 DROP all -- * * 201.27.158.204 0.0.0.0/0 11 470 DROP all -- * * 189.162.44.98 0.0.0.0/0 22 958 DROP all -- * * 200.163.136.98 0.0.0.0/0 5 230 DROP all -- * * 189.19.189.84 0.0.0.0/0 8759 11M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-SPAM (1 references) pkts bytes target prot opt in out source destination 10593 11M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-pop3 (1 references) pkts bytes target prot opt in out
[qmailtoaster] Re: Fail2ban and vpopmail
On 03/02/2011 06:31 AM, Sergio M wrote: [from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail] enabled = true port = pop3 filter = vpopmail action = iptables[name=pop3, port=pop3, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 604800 findtime = 3600 [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=25, protocol=tcp] logpath = /var/log/maillog maxretry = 2 bantime = 604800 findtime = 3600 *** vpopmail-fail.conf *** [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = *** vpopmail.conf *** [Definition] failregex = vchkpw-pop3: vpopmail user not found .*@:HOST ignoreregex = Setup being said, I get lots of hits for the vpopmail-fail jail: # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 Not surprisingly, many of them are brazilian IPs. However, check this out: # date Wed Mar 2 10:27:09 ART 2011 tail /var/log/qmail/smtp/current -F | tai64nlocal 2011-03-02 10:22:49.480688500 tcpserver: end 14729 status 0 2011-03-02 10:22:49.480691500 tcpserver: status: 24/25 2011-03-02 10:22:49.480714500 tcpserver: status: 25/25 2011-03-02 10:22:49.480917500 tcpserver: pid 15808 from 187.4.200.17 2011-03-02 10:22:49.481000500 tcpserver: ok 15808 mail.domain.com.ar:11.22.33.44:25 :187.4.200.17::3220 2011-03-02 10:26:29.551470500 tcpserver: end 15477 status 0 2011-03-02 10:26:29.551473500 tcpserver: status: 24/25 2011-03-02 10:26:29.551502500 tcpserver: status: 25/25 2011-03-02 10:26:29.551726500 tcpserver: pid 16348 from 186.191.158.84 2011-03-02 10:26:29.631488500 tcpserver: ok 16348 mail.domain.com.ar:11.22.33.44:25 :186.191.158.84::59586 Look at the speed of my smtp session log!! Like 2 entries in 4 minutes! I tried qmailctl stop/start several times, and no msgs in queue (checked with qmHandle -l) Without fail2ban, it kept at 25 of 25 but just keep flowing. Any ideas? Thanks! -Sergio - Looks to me like you have some qmail-smtp processes that are hung. I would stop qmail, wait a few seconds for things to terminate on their own, then see what's still running. I'd expect to see some qmail-smtpd processes hanging around. # pkill qmail-smtpd should clean them up. Then start qmail back up again. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: On 03/02/2011 06:31 AM, Sergio M wrote: [from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail] enabled = true port = pop3 filter = vpopmail action = iptables[name=pop3, port=pop3, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 604800 findtime = 3600 [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=25, protocol=tcp] logpath = /var/log/maillog maxretry = 2 bantime = 604800 findtime = 3600 *** vpopmail-fail.conf *** [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = *** vpopmail.conf *** [Definition] failregex = vchkpw-pop3: vpopmail user not found .*@:HOST ignoreregex = Setup being said, I get lots of hits for the vpopmail-fail jail: # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 Not surprisingly, many of them are brazilian IPs. However, check this out: # date Wed Mar 2 10:27:09 ART 2011 tail /var/log/qmail/smtp/current -F | tai64nlocal 2011-03-02 10:22:49.480688500 tcpserver: end 14729 status 0 2011-03-02 10:22:49.480691500 tcpserver: status: 24/25 2011-03-02 10:22:49.480714500 tcpserver: status: 25/25 2011-03-02 10:22:49.480917500 tcpserver: pid 15808 from 187.4.200.17 2011-03-02 10:22:49.481000500 tcpserver: ok 15808 mail.domain.com.ar:11.22.33.44:25 :187.4.200.17::3220 2011-03-02 10:26:29.551470500 tcpserver: end 15477 status 0 2011-03-02 10:26:29.551473500 tcpserver: status: 24/25 2011-03-02 10:26:29.551502500 tcpserver: status: 25/25 2011-03-02 10:26:29.551726500 tcpserver: pid 16348 from 186.191.158.84 2011-03-02 10:26:29.631488500 tcpserver: ok 16348 mail.domain.com.ar:11.22.33.44:25 :186.191.158.84::59586 Look at the speed of my smtp session log!! Like 2 entries in 4 minutes! I tried qmailctl stop/start several times, and no msgs in queue (checked with qmHandle -l) Without fail2ban, it kept at 25 of 25 but just keep flowing. Any ideas? Thanks! -Sergio - Looks to me like you have some qmail-smtp processes that are hung. I would stop qmail, wait a few seconds for things to terminate on their own, then see what's still running. I'd expect to see some qmail-smtpd processes hanging around. # pkill qmail-smtpd should clean them up. Then start qmail back up again. Hi Eric, I did that several times. 1. qmailctl stop 2. qmailctl stat (nothing running) 3. pkill qmail-smtpd 4. htop (and look for qmail) 4' wait a minute 5. qmailctl start 6. 2011-03-02 13:43:42.362756500 tcpserver: status: 24/25 2011-03-02 13:43:42.362758500 tcpserver: status: 25/25 2011-03-02 13:43:42.362759500 tcpserver: pid 25649 from 200.175.53.14 - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Fail2ban and vpopmail
On 03/02/2011 09:44 AM, Sergio M wrote: Eric Shubert escribió: On 03/02/2011 06:31 AM, Sergio M wrote: [from this other thread http://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg30514.html ] As I said, being under SMTP attack I installed fail2ban and created a set of rules like: *** jail.conf *** (...) [vpopmail] enabled = true port = pop3 filter = vpopmail action = iptables[name=pop3, port=pop3, protocol=tcp] logpath = /var/log/maillog maxretry = 3 bantime = 604800 findtime = 3600 [vpopmail-fail] enabled = true filter = vpopmail-fail action = iptables[name=SMTP, port=25, protocol=tcp] logpath = /var/log/maillog maxretry = 2 bantime = 604800 findtime = 3600 *** vpopmail-fail.conf *** [Definition] failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:HOST ignoreregex = *** vpopmail.conf *** [Definition] failregex = vchkpw-pop3: vpopmail user not found .*@:HOST ignoreregex = Setup being said, I get lots of hits for the vpopmail-fail jail: # fail2ban-client status vpopmail-fail Status for the jail: vpopmail-fail |- filter | |- File list: /var/log/maillog | |- Currently failed: 7 | `- Total failed: 225 `- action |- Currently banned: 109 | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17 `- Total banned: 109 Not surprisingly, many of them are brazilian IPs. However, check this out: # date Wed Mar 2 10:27:09 ART 2011 tail /var/log/qmail/smtp/current -F | tai64nlocal 2011-03-02 10:22:49.480688500 tcpserver: end 14729 status 0 2011-03-02 10:22:49.480691500 tcpserver: status: 24/25 2011-03-02 10:22:49.480714500 tcpserver: status: 25/25 2011-03-02 10:22:49.480917500 tcpserver: pid 15808 from 187.4.200.17 2011-03-02 10:22:49.481000500 tcpserver: ok 15808 mail.domain.com.ar:11.22.33.44:25 :187.4.200.17::3220 2011-03-02 10:26:29.551470500 tcpserver: end 15477 status 0 2011-03-02 10:26:29.551473500 tcpserver: status: 24/25 2011-03-02 10:26:29.551502500 tcpserver: status: 25/25 2011-03-02 10:26:29.551726500 tcpserver: pid 16348 from 186.191.158.84 2011-03-02 10:26:29.631488500 tcpserver: ok 16348 mail.domain.com.ar:11.22.33.44:25 :186.191.158.84::59586 Look at the speed of my smtp session log!! Like 2 entries in 4 minutes! I tried qmailctl stop/start several times, and no msgs in queue (checked with qmHandle -l) Without fail2ban, it kept at 25 of 25 but just keep flowing. Any ideas? Thanks! -Sergio - Looks to me like you have some qmail-smtp processes that are hung. I would stop qmail, wait a few seconds for things to terminate on their own, then see what's still running. I'd expect to see some qmail-smtpd processes hanging around. # pkill qmail-smtpd should clean them up. Then start qmail back up again. Hi Eric, I did that several times. 1. qmailctl stop 2. qmailctl stat (nothing running) 3. pkill qmail-smtpd 4. htop (and look for qmail) 4' wait a minute 5. qmailctl start 6. 2011-03-02 13:43:42.362756500 tcpserver: status: 24/25 2011-03-02 13:43:42.362758500 tcpserver: status: 25/25 2011-03-02 13:43:42.362759500 tcpserver: pid 25649 from 200.175.53.14 - You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. -- -Eric 'shubes' -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. I'm sorry, its starts at 0/25 and then goes up straight to 25/25. What's more annoying is that it just stays frozen for several minutes. (ie from 10:22 to 10:26 in the excerpt that i posted earlier) - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
For simple exercise I would run queue repair. On 03/02/2011 09:22 AM, Sergio M wrote: Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. I'm sorry, its starts at 0/25 and then goes up straight to 25/25. What's more annoying is that it just stays frozen for several minutes. (ie from 10:22 to 10:26 in the excerpt that i posted earlier) - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Cecil Yother, Jr. cj cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 | http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Fail2ban and vpopmail
On 03/02/2011 10:22 AM, Sergio M wrote: Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. I'm sorry, its starts at 0/25 and then goes up straight to 25/25. What's more annoying is that it just stays frozen for several minutes. (ie from 10:22 to 10:26 in the excerpt that i posted earlier) - How long does it take to go from 0 to 25? Please post log. Also, why do you have this set so low? Please post (again) your HW specs. You should be able to open things up a bit. Also, number of domains and users (# pop, # imap) would help. Using dovecot or courier? Also, how many spamd children do you have configured? I know these aren't directly related to your perceived problem, but these things could be influencing your dilemma. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Hi Sergio. Sounds like You're having a script that sends mail ! Do You by any chance have a webserver with e-mail forms that can have been compromised ? Regards, Finn On 02-03-2011 18:22, Sergio M wrote: Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. I'm sorry, its starts at 0/25 and then goes up straight to 25/25. What's more annoying is that it just stays frozen for several minutes. (ie from 10:22 to 10:26 in the excerpt that i posted earlier) - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: On 03/02/2011 10:22 AM, Sergio M wrote: Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. I'm sorry, its starts at 0/25 and then goes up straight to 25/25. What's more annoying is that it just stays frozen for several minutes. (ie from 10:22 to 10:26 in the excerpt that i posted earlier) - How long does it take to go from 0 to 25? Please post log. [*sergio*] 2011-03-02 15:00:21.889861500 tcpserver: status: 0/25 2011-03-02 15:00:21.936976500 tcpserver: status: 1/25 2011-03-02 15:00:21.937192500 tcpserver: pid 4 from 190.220.98.37 2011-03-02 15:00:21.937296500 tcpserver: ok 4 mail.srv.com:11.22.33.44:25 :190.220.98.37::2111 2011-03-02 15:00:21.939641500 tcpserver: status: 2/25 2011-03-02 15:00:21.939831500 tcpserver: pid 5 from 200.68.95.162 2011-03-02 15:00:21.939903500 tcpserver: ok 5 mail.srv.com:11.22.33.44:25 :200.68.95.162::3643 2011-03-02 15:00:22.333105500 CHKUSER accepted rcpt: from activacio...@annoy.com:activacio...@annoy.com: remote wksact11:unknown:200.68.95.162 rcpt aalle...@annoy.com : found existing recipient 2011-03-02 15:00:22.333137500 policy_check: local activacio...@annoy.com - local aalle...@annoy.com (AUTHENTICATED SENDER) 2011-03-02 15:00:22.333187500 policy_check: policy allows transmission 2011-03-02 15:00:22.364550500 CHKUSER accepted rcpt: from activacio...@annoy.com:activacio...@annoy.com: remote wksact11:unknown:200.68.95.162 rcpt btorrecil...@annoy.com : found existing recipient 2011-03-02 15:00:22.364567500 policy_check: local activacio...@annoy.com - local btorrecil...@annoy.com (AUTHENTICATED SENDER) 2011-03-02 15:00:22.364607500 policy_check: policy allows transmission 2011-03-02 15:00:22.368362500 tcpserver: status: 3/25 2011-03-02 15:00:22.368573500 tcpserver: pid 11125 from 200.68.95.162 2011-03-02 15:00:22.368672500 tcpserver: ok 11125 mail.srv.com:11.22.33.44:25 :200.68.95.162::2918 2011-03-02 15:00:22.520284500 tcpserver: status: 4/25 2011-03-02 15:00:22.520466500 tcpserver: pid 11128 from 200.50.190.6 2011-03-02 15:00:22.520560500 tcpserver: ok 11128 mail.srv.com:11.22.33.44:25 :200.50.190.6::19057 2011-03-02 15:00:22.756345500 CHKUSER accepted rcpt: from claudianu...@suservicio-sa.co.jp:administrac...@suservicio-sa.co.jp: remote [192.168.1.119]:unknown:190.220.98.37 rcpt pamelaballeste...@suservicio-sa.co.jp : found existing recipient 2011-03-02 15:00:22.756380500 policy_check: local administrac...@suservicio-sa.co.jp - local pamelaballeste...@suservicio-sa.co.jp (AUTHENTICATED SENDER) 2011-03-02 15:00:22.756496500 policy_check: policy allows transmission 2011-03-02 15:00:22.827357500 tcpserver: status:
[qmailtoaster] Re: Fail2ban and vpopmail
Good guess Finn, but they appear to be coming from a wide variety of addresses. -- -Eric 'shubes' On 03/02/2011 11:15 AM, Finn Buhelt (kirstineslund) wrote: Hi Sergio. Sounds like You're having a script that sends mail ! Do You by any chance have a webserver with e-mail forms that can have been compromised ? Regards, Finn On 02-03-2011 18:22, Sergio M wrote: Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. I'm sorry, its starts at 0/25 and then goes up straight to 25/25. What's more annoying is that it just stays frozen for several minutes. (ie from 10:22 to 10:26 in the excerpt that i posted earlier) - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Fail2ban and vpopmail
On 03/02/2011 11:16 AM, Sergio M wrote: Eric Shubert escribió: On 03/02/2011 10:22 AM, Sergio M wrote: Eric Shubert escribió: You should see: 03-02 10:09:37 tcpserver: status: 0/25 right after you start qmail. If it doesn't drop to 0 when you start it, then something's wrong. Please check the status message which corresponds to the start of qmail. If it's not 0/25, please post several lines before and after from your log. I don't know about using htop to look for qmail processes. Perhaps you've missed something. I would try: # ps -ef | grep qmail to see what processes are running that are qmail related, in place of your step 4 above. I'm sorry, its starts at 0/25 and then goes up straight to 25/25. What's more annoying is that it just stays frozen for several minutes. (ie from 10:22 to 10:26 in the excerpt that i posted earlier) - How long does it take to go from 0 to 25? Please post log. snip Wow. Just 9 seconds. And from a variety of sources. Also, why do you have this set so low? Please post (again) your HW specs. [*sergio*] I have a Quad-Core AMD Opteron(tm) Processor 1354 cpu MHz : 1100.000 with 1Gb RAM. That's more than adequate CPU, and ample RAM. You should be able to open things up a bit. Also, number of domains and users (# pop, # imap) would help. Using dovecot or courier? Also, how many spamd children do you have configured? I know these aren't directly related to your perceived problem, but these things could be influencing your dilemma. [*sergio*] We have around 40/50 domains with less than 2000 users(total), mostly pop, though some use Squirrelmail. Dont know about courier or dovecot. Doesn't really matter unless you have IMAP accounts with large amounts of email. cat /var/qmail/supervise/spamd/run #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
#!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) Well Eric, thanks for your reply. Load # top top - 16:01:49 up 4 days, 19:13, 1 user, load average: 0.18, 0.33, 0.42 Tasks: 264 total, 1 running, 263 sleeping, 0 stopped, 0 zombie Cpu(s): 2.1%us, 0.5%sy, 0.0%ni, 93.1%id, 4.3%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 1026432k total, 987040k used,39392k free,18456k buffers Swap: 2064376k total,36592k used, 2027784k free, 275032k cached Would you suggest stepping spamd childs from 8 to 16 and incoming connections to 64? Serious tuning (or tuning at all) its the hardest part! thanks! - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Fail2ban and vpopmail
On 03/02/2011 12:04 PM, Sergio M wrote: #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) Well Eric, thanks for your reply. Load # top top - 16:01:49 up 4 days, 19:13, 1 user, load average: 0.18, 0.33, 0.42 Tasks: 264 total, 1 running, 263 sleeping, 0 stopped, 0 zombie Cpu(s): 2.1%us, 0.5%sy, 0.0%ni, 93.1%id, 4.3%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 1026432k total, 987040k used, 39392k free, 18456k buffers Swap: 2064376k total, 36592k used, 2027784k free, 275032k cached Would you suggest stepping spamd childs from 8 to 16 and incoming connections to 64? Serious tuning (or tuning at all) its the hardest part! thanks! - I'm presuming you have nothing else on this host besides QMT, right? I'd go with 20 spamd children and 100 incoming connections for a start, and see what happens. I expect more adjustments will be needed, but let's see what happens with that. Need to look at what (if anything, like smtp sessions, spamd children) is maxing out at that point, what cpu and ram use looks like, and load. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: On 03/02/2011 12:04 PM, Sergio M wrote: #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) Well Eric, thanks for your reply. Load # top top - 16:01:49 up 4 days, 19:13, 1 user, load average: 0.18, 0.33, 0.42 Tasks: 264 total, 1 running, 263 sleeping, 0 stopped, 0 zombie Cpu(s): 2.1%us, 0.5%sy, 0.0%ni, 93.1%id, 4.3%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 1026432k total, 987040k used, 39392k free, 18456k buffers Swap: 2064376k total, 36592k used, 2027784k free, 275032k cached Would you suggest stepping spamd childs from 8 to 16 and incoming connections to 64? Serious tuning (or tuning at all) its the hardest part! thanks! - I'm presuming you have nothing else on this host besides QMT, right? I'd go with 20 spamd children and 100 incoming connections for a start, and see what happens. I expect more adjustments will be needed, but let's see what happens with that. Need to look at what (if anything, like smtp sessions, spamd children) is maxing out at that point, what cpu and ram use looks like, and load. Server only has QMT and is a NS well I started as i said with 64 concurrencyincoming and 16 spamd childs. Look: 2011-03-02 16:22:12.031650500 tcpserver: status: 0/64 2011-03-02 16:22:12.390714500 tcpserver: status: 1/64 2011-03-02 16:22:12.390922500 tcpserver: pid 27873 from 189.62.183.77 2011-03-02 16:22:12.391015500 tcpserver: ok 27873 mail.srv.com:11.22.33.44:25 :189.62.183.77::52708 (...) 2011-03-02 16:23:18.311763500 tcpserver: status: 62/64 2011-03-02 16:23:18.311765500 tcpserver: pid 29682 from 190.228.129.235 2011-03-02 16:23:18.311766500 tcpserver: ok 29682 mail.srv.com:11.22.33.44:25 :190.228.129.235::36885 2011-03-02 16:23:18.333234500 tcpserver: status: 63/64 2011-03-02 16:23:18.333424500 tcpserver: pid 29683 from 190.228.129.235 2011-03-02 16:23:18.333495500 tcpserver: ok 29683 mail.srv.com:11.22.33.44:25 :190.228.129.235::36888 2011-03-02 16:23:18.344837500 tcpserver: status: 64/64 2011-03-02 16:23:18.345021500 tcpserver: pid 29684 from 190.228.129.235 (...) 2011-03-02 16:29:55.588523500 tcpserver: status: 63/64 2011-03-02 16:29:55.588524500 tcpserver: status: 64/64 2011-03-02 16:29:55.588641500 tcpserver: pid 31540 from 201.3.48.146 2011-03-02 16:29:55.588727500 tcpserver: ok 31540 mail.netkey.com.ar:200.80.35.42:25 :201.3.48.146::43940 2011-03-02 16:29:57.377222500 tcpserver: end 29432 status 0 2011-03-02 16:29:57.377225500 tcpserver: status: 63/64 2011-03-02 16:29:57.377249500 tcpserver: status: 64/64 2011-03-02 16:29:57.377445500 tcpserver: pid 31551 from 200.69.10.175 2011-03-02 16:29:57.377530500 tcpserver: ok 31551 mail.netkey.com.ar:200.80.35.42:25 :200.69.10.175::47860 # top top - 16:31:33 up 4 days, 19:43, 1 user, load average: 0.51, 0.77, 0.67 Tasks: 348 total, 1 running, 347 sleeping, 0 stopped, 0 zombie Cpu(s): 6.1%us, 1.0%sy, 0.0%ni, 84.9%id, 7.7%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 1018164k used, 8268k free,16096k buffers Swap: 2064376k total,36592k used, 2027784k free, 265360k cached So, should I increase to 100 and 20 childs anyway? Thanks Eric. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Fail2ban and vpopmail
On 03/02/2011 12:32 PM, Sergio M wrote: Eric Shubert escribió: On 03/02/2011 12:04 PM, Sergio M wrote: #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) Well Eric, thanks for your reply. Load # top top - 16:01:49 up 4 days, 19:13, 1 user, load average: 0.18, 0.33, 0.42 Tasks: 264 total, 1 running, 263 sleeping, 0 stopped, 0 zombie Cpu(s): 2.1%us, 0.5%sy, 0.0%ni, 93.1%id, 4.3%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 1026432k total, 987040k used, 39392k free, 18456k buffers Swap: 2064376k total, 36592k used, 2027784k free, 275032k cached Would you suggest stepping spamd childs from 8 to 16 and incoming connections to 64? Serious tuning (or tuning at all) its the hardest part! thanks! - I'm presuming you have nothing else on this host besides QMT, right? I'd go with 20 spamd children and 100 incoming connections for a start, and see what happens. I expect more adjustments will be needed, but let's see what happens with that. Need to look at what (if anything, like smtp sessions, spamd children) is maxing out at that point, what cpu and ram use looks like, and load. Server only has QMT and is a NS well I started as i said with 64 concurrencyincoming and 16 spamd childs. Look: 2011-03-02 16:22:12.031650500 tcpserver: status: 0/64 2011-03-02 16:22:12.390714500 tcpserver: status: 1/64 2011-03-02 16:22:12.390922500 tcpserver: pid 27873 from 189.62.183.77 2011-03-02 16:22:12.391015500 tcpserver: ok 27873 mail.srv.com:11.22.33.44:25 :189.62.183.77::52708 (...) 2011-03-02 16:23:18.311763500 tcpserver: status: 62/64 2011-03-02 16:23:18.311765500 tcpserver: pid 29682 from 190.228.129.235 2011-03-02 16:23:18.311766500 tcpserver: ok 29682 mail.srv.com:11.22.33.44:25 :190.228.129.235::36885 2011-03-02 16:23:18.333234500 tcpserver: status: 63/64 2011-03-02 16:23:18.333424500 tcpserver: pid 29683 from 190.228.129.235 2011-03-02 16:23:18.333495500 tcpserver: ok 29683 mail.srv.com:11.22.33.44:25 :190.228.129.235::36888 2011-03-02 16:23:18.344837500 tcpserver: status: 64/64 2011-03-02 16:23:18.345021500 tcpserver: pid 29684 from 190.228.129.235 (...) 2011-03-02 16:29:55.588523500 tcpserver: status: 63/64 2011-03-02 16:29:55.588524500 tcpserver: status: 64/64 2011-03-02 16:29:55.588641500 tcpserver: pid 31540 from 201.3.48.146 2011-03-02 16:29:55.588727500 tcpserver: ok 31540 mail.netkey.com.ar:200.80.35.42:25 :201.3.48.146::43940 2011-03-02 16:29:57.377222500 tcpserver: end 29432 status 0 2011-03-02 16:29:57.377225500 tcpserver: status: 63/64 2011-03-02 16:29:57.377249500 tcpserver: status: 64/64 2011-03-02 16:29:57.377445500 tcpserver: pid 31551 from 200.69.10.175 2011-03-02 16:29:57.377530500 tcpserver: ok 31551 mail.netkey.com.ar:200.80.35.42:25 :200.69.10.175::47860 # top top - 16:31:33 up 4 days, 19:43, 1 user, load average: 0.51, 0.77, 0.67 Tasks: 348 total, 1 running, 347 sleeping, 0 stopped, 0 zombie Cpu(s): 6.1%us, 1.0%sy, 0.0%ni, 84.9%id, 7.7%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 1018164k used, 8268k free, 16096k buffers Swap: 2064376k total, 36592k used, 2027784k free, 265360k cached So, should I increase to 100 and 20 childs anyway? Thanks Eric. - Sure. The thing's barely working. CPU is 85% idle, and no apparent paging yet. How many spamd children have kicked in? Might want to increase --min-children number to 12 or so, or whatever number ends up being your average number that are running. You can easily see this in the spamd log. Keep in mind, there's loads of messages that have backed up, so you'll be seeing inordinately high activity for a while, perhaps several hours. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today!
Re: [qmailtoaster] Re: Fail2ban and vpopmail
Eric Shubert escribió: On 03/02/2011 12:32 PM, Sergio M wrote: Eric Shubert escribió: On 03/02/2011 12:04 PM, Sergio M wrote: #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) Well Eric, thanks for your reply. Load # top top - 16:01:49 up 4 days, 19:13, 1 user, load average: 0.18, 0.33, 0.42 Tasks: 264 total, 1 running, 263 sleeping, 0 stopped, 0 zombie Cpu(s): 2.1%us, 0.5%sy, 0.0%ni, 93.1%id, 4.3%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 1026432k total, 987040k used, 39392k free, 18456k buffers Swap: 2064376k total, 36592k used, 2027784k free, 275032k cached Would you suggest stepping spamd childs from 8 to 16 and incoming connections to 64? Serious tuning (or tuning at all) its the hardest part! thanks! - I'm presuming you have nothing else on this host besides QMT, right? I'd go with 20 spamd children and 100 incoming connections for a start, and see what happens. I expect more adjustments will be needed, but let's see what happens with that. Need to look at what (if anything, like smtp sessions, spamd children) is maxing out at that point, what cpu and ram use looks like, and load. Server only has QMT and is a NS well I started as i said with 64 concurrencyincoming and 16 spamd childs. Look: 2011-03-02 16:22:12.031650500 tcpserver: status: 0/64 2011-03-02 16:22:12.390714500 tcpserver: status: 1/64 2011-03-02 16:22:12.390922500 tcpserver: pid 27873 from 189.62.183.77 2011-03-02 16:22:12.391015500 tcpserver: ok 27873 mail.srv.com:11.22.33.44:25 :189.62.183.77::52708 (...) 2011-03-02 16:23:18.311763500 tcpserver: status: 62/64 2011-03-02 16:23:18.311765500 tcpserver: pid 29682 from 190.228.129.235 2011-03-02 16:23:18.311766500 tcpserver: ok 29682 mail.srv.com:11.22.33.44:25 :190.228.129.235::36885 2011-03-02 16:23:18.333234500 tcpserver: status: 63/64 2011-03-02 16:23:18.333424500 tcpserver: pid 29683 from 190.228.129.235 2011-03-02 16:23:18.333495500 tcpserver: ok 29683 mail.srv.com:11.22.33.44:25 :190.228.129.235::36888 2011-03-02 16:23:18.344837500 tcpserver: status: 64/64 2011-03-02 16:23:18.345021500 tcpserver: pid 29684 from 190.228.129.235 (...) 2011-03-02 16:29:55.588523500 tcpserver: status: 63/64 2011-03-02 16:29:55.588524500 tcpserver: status: 64/64 2011-03-02 16:29:55.588641500 tcpserver: pid 31540 from 201.3.48.146 2011-03-02 16:29:55.588727500 tcpserver: ok 31540 server.com:11.22.33.44:25 :201.3.48.146::43940 2011-03-02 16:29:57.377222500 tcpserver: end 29432 status 0 2011-03-02 16:29:57.377225500 tcpserver: status: 63/64 2011-03-02 16:29:57.377249500 tcpserver: status: 64/64 2011-03-02 16:29:57.377445500 tcpserver: pid 31551 from 200.69.10.175 2011-03-02 16:29:57.377530500 tcpserver: ok 31551 server.com:11.22.33.44:25 :200.69.10.175::47860 # top top - 16:31:33 up 4 days, 19:43, 1 user, load average: 0.51, 0.77, 0.67 Tasks: 348 total, 1 running, 347 sleeping, 0 stopped, 0 zombie Cpu(s): 6.1%us, 1.0%sy, 0.0%ni, 84.9%id, 7.7%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 1018164k used, 8268k free, 16096k buffers Swap: 2064376k total, 36592k used, 2027784k free, 265360k cached So, should I increase to 100 and 20 childs anyway? Thanks Eric. - Sure. The thing's barely working. CPU is 85% idle, and no apparent paging yet. How many spamd children have kicked in? Might want to increase --min-children number to 12 or so, or whatever number ends up being your average number that are running. You can easily see this in the spamd log. Keep in mind, there's loads of messages that have backed up, so you'll be seeing inordinately high activity for a while, perhaps several hours. Heres an excerpt from /var/log/qmail/spamd/current. Which number are you telling me about? 2011-03-02 16:51:27.025666500 [2627] info: prefork: child states: II 2011-03-02 16:51:33.587155500 [3286] info: spamd: connection from server
[qmailtoaster] Re: Fail2ban and vpopmail
On 03/02/2011 12:55 PM, Sergio M wrote: Eric Shubert escribió: On 03/02/2011 12:32 PM, Sergio M wrote: Eric Shubert escribió: On 03/02/2011 12:04 PM, Sergio M wrote: #!/bin/sh exec /usr/bin/spamd -x -m 8 -u vpopmail -s stderr 21 That's a good start. What are your load number looking like? Pretty low I expect. I'd open that puppy up. You can handle way more than 25 connections. I'd go back to the default value of 100 for starters, and double the number of spamd children. Then keep an eye on things. You don't want to get so many spamd instances running that you start swapping ram. Find a good comfortable number for spamd children (this is what will eat your ram and cpu), then adjust your total smtp sessions to fit. You should have many more (2-4x) smtp sessions available as spamd children. With that many domains and users, there is probably a good deal of mail queued up in other servers, which is why you're getting pounded so hard. You might need to turn off spamassassin temporarily to get past the wave, but I'd only do that as a last resort. What you have here is a good opportunity to do some serious tuning. :) Well Eric, thanks for your reply. Load # top top - 16:01:49 up 4 days, 19:13, 1 user, load average: 0.18, 0.33, 0.42 Tasks: 264 total, 1 running, 263 sleeping, 0 stopped, 0 zombie Cpu(s): 2.1%us, 0.5%sy, 0.0%ni, 93.1%id, 4.3%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 1026432k total, 987040k used, 39392k free, 18456k buffers Swap: 2064376k total, 36592k used, 2027784k free, 275032k cached Would you suggest stepping spamd childs from 8 to 16 and incoming connections to 64? Serious tuning (or tuning at all) its the hardest part! thanks! - I'm presuming you have nothing else on this host besides QMT, right? I'd go with 20 spamd children and 100 incoming connections for a start, and see what happens. I expect more adjustments will be needed, but let's see what happens with that. Need to look at what (if anything, like smtp sessions, spamd children) is maxing out at that point, what cpu and ram use looks like, and load. Server only has QMT and is a NS well I started as i said with 64 concurrencyincoming and 16 spamd childs. Look: 2011-03-02 16:22:12.031650500 tcpserver: status: 0/64 2011-03-02 16:22:12.390714500 tcpserver: status: 1/64 2011-03-02 16:22:12.390922500 tcpserver: pid 27873 from 189.62.183.77 2011-03-02 16:22:12.391015500 tcpserver: ok 27873 mail.srv.com:11.22.33.44:25 :189.62.183.77::52708 (...) 2011-03-02 16:23:18.311763500 tcpserver: status: 62/64 2011-03-02 16:23:18.311765500 tcpserver: pid 29682 from 190.228.129.235 2011-03-02 16:23:18.311766500 tcpserver: ok 29682 mail.srv.com:11.22.33.44:25 :190.228.129.235::36885 2011-03-02 16:23:18.333234500 tcpserver: status: 63/64 2011-03-02 16:23:18.333424500 tcpserver: pid 29683 from 190.228.129.235 2011-03-02 16:23:18.333495500 tcpserver: ok 29683 mail.srv.com:11.22.33.44:25 :190.228.129.235::36888 2011-03-02 16:23:18.344837500 tcpserver: status: 64/64 2011-03-02 16:23:18.345021500 tcpserver: pid 29684 from 190.228.129.235 (...) 2011-03-02 16:29:55.588523500 tcpserver: status: 63/64 2011-03-02 16:29:55.588524500 tcpserver: status: 64/64 2011-03-02 16:29:55.588641500 tcpserver: pid 31540 from 201.3.48.146 2011-03-02 16:29:55.588727500 tcpserver: ok 31540 server.com:11.22.33.44:25 :201.3.48.146::43940 2011-03-02 16:29:57.377222500 tcpserver: end 29432 status 0 2011-03-02 16:29:57.377225500 tcpserver: status: 63/64 2011-03-02 16:29:57.377249500 tcpserver: status: 64/64 2011-03-02 16:29:57.377445500 tcpserver: pid 31551 from 200.69.10.175 2011-03-02 16:29:57.377530500 tcpserver: ok 31551 server.com:11.22.33.44:25 :200.69.10.175::47860 # top top - 16:31:33 up 4 days, 19:43, 1 user, load average: 0.51, 0.77, 0.67 Tasks: 348 total, 1 running, 347 sleeping, 0 stopped, 0 zombie Cpu(s): 6.1%us, 1.0%sy, 0.0%ni, 84.9%id, 7.7%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 1018164k used, 8268k free, 16096k buffers Swap: 2064376k total, 36592k used, 2027784k free, 265360k cached So, should I increase to 100 and 20 childs anyway? Thanks Eric. - Sure. The thing's barely working. CPU is 85% idle, and no apparent paging yet. How many spamd children have kicked in? Might want to increase --min-children number to 12 or so, or whatever number ends up being your average number that are running. You can easily see this in the spamd log. Keep in mind, there's loads of messages that have backed up, so you'll be seeing inordinately high activity for a while, perhaps several hours. Heres an excerpt from /var/log/qmail/spamd/current. Which number are you telling me about? 2011-03-02 16:51:27.025666500 [2627] info: prefork: child states: II 2011-03-02 16:51:33.587155500 [3286] info: spamd: connection from server [127.0.0.1] at port 35039 2011-03-02 16:51:33.610493500 [3286] info:
Re: [qmailtoaster] Re: Fail2ban and vpopmail
I can say that with 64 concurrencyincoming and 16 spamd childs (and a magic reboot, just in case) its now flowing smoothly and the sessions are under 40/64 most of the time. (for now) # top top - 17:19:24 up 43 min, 1 user, load average: 0.55, 0.73, 0.95 Tasks: 269 total, 1 running, 268 sleeping, 0 stopped, 0 zombie Cpu(s): 5.2%us, 0.9%sy, 0.0%ni, 81.8%id, 11.9%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 965996k used,60436k free,29036k buffers Swap: 2064376k total, 120k used, 2064256k free, 393428k cached I want to thanks you guys, and specially Eric for backing me up on this one. But i should say that we'd all like to see some fail2ban config files and working setups for qmail and vpopmail. Havent got much of that yet. Thanks! Sergio - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Fail2ban and vpopmail
On 03/02/2011 01:21 PM, Sergio M wrote: I can say that with 64 concurrencyincoming and 16 spamd childs (and a magic reboot, just in case) its now flowing smoothly and the sessions are under 40/64 most of the time. (for now) # top top - 17:19:24 up 43 min, 1 user, load average: 0.55, 0.73, 0.95 Tasks: 269 total, 1 running, 268 sleeping, 0 stopped, 0 zombie Cpu(s): 5.2%us, 0.9%sy, 0.0%ni, 81.8%id, 11.9%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 965996k used, 60436k free, 29036k buffers Swap: 2064376k total, 120k used, 2064256k free, 393428k cached I want to thanks you guys, and specially Eric for backing me up on this one. But i should say that we'd all like to see some fail2ban config files and working setups for qmail and vpopmail. Havent got much of that yet. Thanks! Sergio - You're welcome, Sergio. As an afterthought, that host really is overbuilt. Plus, running a NS (authoritative I presume) on a QMT host isn't really a good idea. If it were me, I'd put another 1G of ram (2G total) in the thing, run VMware Server on it (or your virtualization product of choice), and run QMT and the NS as separate VM guests. You'd have enough machine left over to host something else as well if you'd like. Perhaps a development host or 2, a backup QMT host, or whatever you like. FWIW. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Fail2ban and vpopmail
On 03/02/2011 01:21 PM, Sergio M wrote: I can say that with 64 concurrencyincoming and 16 spamd childs (and a magic reboot, just in case) its now flowing smoothly and the sessions are under 40/64 most of the time. (for now) # top top - 17:19:24 up 43 min, 1 user, load average: 0.55, 0.73, 0.95 Tasks: 269 total, 1 running, 268 sleeping, 0 stopped, 0 zombie Cpu(s): 5.2%us, 0.9%sy, 0.0%ni, 81.8%id, 11.9%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 965996k used, 60436k free, 29036k buffers Swap: 2064376k total, 120k used, 2064256k free, 393428k cached I want to thanks you guys, and specially Eric for backing me up on this one. But i should say that we'd all like to see some fail2ban config files and working setups for qmail and vpopmail. Havent got much of that yet. Thanks! Sergio - Oh, and what do you say, you fail2ban gurus? How about creating a little wiki content? It's really pretty trivial to edit the wiki. Don't worry about formatting and such, just get the content out there. Someone will likely come along later and make it pretty. ;) -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
I am curious why you say it's not a good idea to run a QMT server and a NS on the same machine? CJ On 03/02/2011 12:40 PM, Eric Shubert wrote: On 03/02/2011 01:21 PM, Sergio M wrote: I can say that with 64 concurrencyincoming and 16 spamd childs (and a magic reboot, just in case) its now flowing smoothly and the sessions are under 40/64 most of the time. (for now) # top top - 17:19:24 up 43 min, 1 user, load average: 0.55, 0.73, 0.95 Tasks: 269 total, 1 running, 268 sleeping, 0 stopped, 0 zombie Cpu(s): 5.2%us, 0.9%sy, 0.0%ni, 81.8%id, 11.9%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 965996k used, 60436k free, 29036k buffers Swap: 2064376k total, 120k used, 2064256k free, 393428k cached I want to thanks you guys, and specially Eric for backing me up on this one. But i should say that we'd all like to see some fail2ban config files and working setups for qmail and vpopmail. Havent got much of that yet. Thanks! Sergio - You're welcome, Sergio. As an afterthought, that host really is overbuilt. Plus, running a NS (authoritative I presume) on a QMT host isn't really a good idea. If it were me, I'd put another 1G of ram (2G total) in the thing, run VMware Server on it (or your virtualization product of choice), and run QMT and the NS as separate VM guests. You'd have enough machine left over to host something else as well if you'd like. Perhaps a development host or 2, a backup QMT host, or whatever you like. FWIW. -- Cecil Yother, Jr. cj cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 | http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Fail2ban and vpopmail
Security and managability. In addition, QMT is a heavy DNS user, so it's best to run a caching resolver on the QMT host. It's also a good idea make your authoritative DNS server (if you run one yourself) separate from your resolver. Hence, if you have a caching resolver on your QMT, your authoritative DNS should be on another host. This doesn't mean it can't be done. Of course, it can. Question is, should it? Probably not. -- -Eric 'shubes' On 03/02/2011 02:02 PM, Cecil Yother, Jr. wrote: I am curious why you say it's not a good idea to run a QMT server and a NS on the same machine? CJ On 03/02/2011 12:40 PM, Eric Shubert wrote: On 03/02/2011 01:21 PM, Sergio M wrote: I can say that with 64 concurrencyincoming and 16 spamd childs (and a magic reboot, just in case) its now flowing smoothly and the sessions are under 40/64 most of the time. (for now) # top top - 17:19:24 up 43 min, 1 user, load average: 0.55, 0.73, 0.95 Tasks: 269 total, 1 running, 268 sleeping, 0 stopped, 0 zombie Cpu(s): 5.2%us, 0.9%sy, 0.0%ni, 81.8%id, 11.9%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 1026432k total, 965996k used, 60436k free, 29036k buffers Swap: 2064376k total, 120k used, 2064256k free, 393428k cached I want to thanks you guys, and specially Eric for backing me up on this one. But i should say that we'd all like to see some fail2ban config files and working setups for qmail and vpopmail. Havent got much of that yet. Thanks! Sergio - You're welcome, Sergio. As an afterthought, that host really is overbuilt. Plus, running a NS (authoritative I presume) on a QMT host isn't really a good idea. If it were me, I'd put another 1G of ram (2G total) in the thing, run VMware Server on it (or your virtualization product of choice), and run QMT and the NS as separate VM guests. You'd have enough machine left over to host something else as well if you'd like. Perhaps a development host or 2, a backup QMT host, or whatever you like. FWIW. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Fail2ban and vpopmail
The reason I ask is I have successfully been running mine that way for some time now. I also run a webserver on the same system. Fingers crossed, now that I said that. On 03/02/2011 01:35 PM, Eric Shubert wrote: Security and managability. In addition, QMT is a heavy DNS user, so it's best to run a caching resolver on the QMT host. It's also a good idea make your authoritative DNS server (if you run one yourself) separate from your resolver. Hence, if you have a caching resolver on your QMT, your authoritative DNS should be on another host. This doesn't mean it can't be done. Of course, it can. Question is, should it? Probably not. -- Cecil Yother, Jr. cj cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 | http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com