On Tuesday 29 March 2005 10:53 am, Tobias Orlamuende wrote:
> Am Dienstag, 29. MÃrz 2005 18:37 schrieb Jeremy Kitchen:
> > On Tuesday 29 March 2005 10:31 am, Tobias Orlamuende wrote:
> > > After intensive logging I found out, that chkuser sends something like
> > > "You are violating my security policy" when CHKUSERRCPTLIMIT and / or
> > > CHKUSER_WRONGRCPTLIMIT is reached.
> > > That's fine so far, but the other side is still sending masses of "rcpt
> > > to". This causes qmail-smtpd to stay open for a very long time until
> > > the sender finishes sending his spam.
> >
> > so?  the resources consumed by a single copy of qmail-smtpd hanging
> > around for some spammer to give up are minimal.
>
> IMHO not :-(
> qmail-smtpd is running for 40 minutes and counts up (until now) to 105
> processes where the oldest one dates from one minute after startup of
> qmail-smtpd. Load of this Dueal-Opteron (240) is about 100.
> Timeoutsmtpd is set in control...
> Most of the started qmail-smtpd's are closed correctly, but some stay open
> which gives this amount...
>
> I am not 100% sure if this problem is caused by chkuser, but for me it
> looks like. The strange thing is, that most of these open sessions are
> using STARTTLS.
> Btw: Anybody made bad experiences with this patch ?
> http://www.arda.homeunix.net/store/qmail/starttls-2way-auth-20050307.patch
>
> I started with Bill Shupp's tls-auth-patch but the loead was even going
> much higher than now.

Try running: /var/qmail/bin/update_tmprsadh

Then add a nightly root crontab entry:
0 2 * * * /var/qmail/bin/update_tmprsadh 2>&1 > /dev/null

Without this, qmail-smtpd will generate a unique key pair for each TLS 
session, which is *very* cpu intensive. 

Ken Jones

<snip>

Reply via email to