On Tuesday 29 March 2005 10:53 am, Tobias Orlamuende wrote: > Am Dienstag, 29. MÃrz 2005 18:37 schrieb Jeremy Kitchen: > > On Tuesday 29 March 2005 10:31 am, Tobias Orlamuende wrote: > > > After intensive logging I found out, that chkuser sends something like > > > "You are violating my security policy" when CHKUSERRCPTLIMIT and / or > > > CHKUSER_WRONGRCPTLIMIT is reached. > > > That's fine so far, but the other side is still sending masses of "rcpt > > > to". This causes qmail-smtpd to stay open for a very long time until > > > the sender finishes sending his spam. > > > > so? the resources consumed by a single copy of qmail-smtpd hanging > > around for some spammer to give up are minimal. > > IMHO not :-( > qmail-smtpd is running for 40 minutes and counts up (until now) to 105 > processes where the oldest one dates from one minute after startup of > qmail-smtpd. Load of this Dueal-Opteron (240) is about 100. > Timeoutsmtpd is set in control... > Most of the started qmail-smtpd's are closed correctly, but some stay open > which gives this amount... > > I am not 100% sure if this problem is caused by chkuser, but for me it > looks like. The strange thing is, that most of these open sessions are > using STARTTLS. > Btw: Anybody made bad experiences with this patch ? > http://www.arda.homeunix.net/store/qmail/starttls-2way-auth-20050307.patch > > I started with Bill Shupp's tls-auth-patch but the loead was even going > much higher than now.
Try running: /var/qmail/bin/update_tmprsadh Then add a nightly root crontab entry: 0 2 * * * /var/qmail/bin/update_tmprsadh 2>&1 > /dev/null Without this, qmail-smtpd will generate a unique key pair for each TLS session, which is *very* cpu intensive. Ken Jones <snip>
