[postfix-users] Question about smtp_client_connection_count_limit
Sympthom: my postfix/dovecot server stops connection requests on port 25 if the mail reject limit exceeds around 400 per minute. Port 25 is available but no 220 promt is coming. So I assume not enough smtp or amavis deamons on port 10024 10025 are available. A short postfix reload "solves" the problem, spammer are gone and connections are free agai for real users.
I did review my master.conf an see:
smtp inet n - n - 20 smtpd -o smtpd_proxy_filter=localhost:10024 -o content_filter=
But no smtp_client_connection_count_limit is set (a la):
smtp inet n - n - 20 smtpd -o smtpd_proxy_filter=localhost:10024 -o content_filter= -o smtp_client_connection_count_limit=10
Question: I've domains where the postfix accepts the smtp directly and I've domains which have a mailfirewall in front and refuses smtp from all other servers (mailfirewall = mx). This mailfirewall does also spam and virus checks and sends the "good" mails than to my postfix server. I assume that the "smtp_client_connection_count_limit" from above affects my mailfirewall too. How can I exclude my mailfirewall from this client_connection_count_limit (or how can I set a seperate limit for my mailfirewall) - or makes this no sense and the limit set is best solution?
For this mailfirewall I've condfigured in main.cf: check_recipient_access hash:/etc/postfix/recipient_access
:/etc/postfix/recipient_access: mydomain.tld check_if_mailfirewall_is_sender
main.cf: check_if_mailfirewall_is_sender = check_client_access hash:/etc/postfix/mailfirewall-ip, check_recipient_access pcre:/etc/postfix/nice_mailfirewall_reject.pcre, reject
Liebe Gruesse, Georg
* Georg Käfer gkaefer@backbone.co.at:
Sympthom: my postfix/dovecot server stops connection requests on port 25 if the mail reject limit exceeds around 400 per minute. Port 25 is available but no 220 promt is coming. So I assume not enough smtp or amavis deamons on port 10024 10025 are available.
Postfix logs that fact. What's in the logs?
-----Ursprüngliche Nachricht----- Von: postfix-users-bounces+gkaefer=backbone.co.at@de.postfix.org [mailto:postfix-users-bounces+gkaefer=backbone.co.at@de.postfix.org] Im Auftrag von Ralf Hildebrandt Gesendet: Mittwoch, 02. Dezember 2009 12:04 An: postfix-users@de.postfix.org Betreff: Re: [postfix-users] Question about smtp_client_connection_count_limit
* Georg Käfer gkaefer@backbone.co.at:
Sympthom: my postfix/dovecot server stops connection requests on port 25 if the mail reject limit exceeds around 400 per minute. Port 25 is available but no 220 promt is coming. So I assume not enough smtp or amavis deamons on port 10024 10025 are available.
Postfix logs that fact. What's in the logs?
Zitat von Georg Käfer gkaefer@backbone.co.at:
-----Ursprüngliche Nachricht----- Von: postfix-users-bounces+gkaefer=backbone.co.at@de.postfix.org [mailto:postfix-users-bounces+gkaefer=backbone.co.at@de.postfix.org] Im Auftrag von Ralf Hildebrandt Gesendet: Mittwoch, 02. Dezember 2009 12:04 An: postfix-users@de.postfix.org Betreff: Re: [postfix-users] Question about smtp_client_connection_count_limit
- Georg Käfer gkaefer@backbone.co.at:
Sympthom: my postfix/dovecot server stops connection requests on port 25 if the mail reject limit exceeds around 400 per minute. Port 25 is available but no 220 promt is coming. So I assume not enough smtp or amavis deamons on port 10024 10025 are available.
Postfix logs that fact. What's in the logs?
-- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt@charite.de | http://www.charite.de
postfix-users mailing list postfix-users@de.postfix.org http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Mein log der betreffenden zeit heute:
Dec 2 09:28:00 mail2 postfix/anvil[31780]: statistics: max connection rate 18/60s for (smtp:82.32.162.192) at Dec 2 09:22:20 Dec 2 09:28:00 mail2 postfix/anvil[31780]: statistics: max connection count 4 for (smtp:213.55.71.242) at Dec 2 09:23:20 Dec 2 09:28:00 mail2 postfix/anvil[31780]: statistics: max message rate 18/60s for (smtp:82.32.162.192) at Dec 2 09:22:22 Dec 2 09:28:00 mail2 postfix/anvil[31780]: statistics: max recipient rate 152/60s for (smtp:82.32.162.192) at Dec 2 09:21:18 Dec 2 09:28:00 mail2 postfix/anvil[31780]: statistics: max cache size 103 at Dec 2 09:27:56 Dec 2 09:38:00 mail2 postfix/anvil[31780]: statistics: max connection rate 18/60s for (smtp:unknown) at Dec 2 09:33:39 Dec 2 09:38:00 mail2 postfix/anvil[31780]: statistics: max connection count 4 for (smtp:115.73.106.196) at Dec 2 09:28:19 Dec 2 09:38:00 mail2 postfix/anvil[31780]: statistics: max message rate 8/60s for (smtp:77.74.14.176) at Dec 2 09:28:41 Dec 2 09:38:00 mail2 postfix/anvil[31780]: statistics: max recipient rate 38/60s for (smtp:123.50.56.24) at Dec 2 09:29:59 Dec 2 09:38:00 mail2 postfix/anvil[31780]: statistics: max cache size 102 at Dec 2 09:28:14 Dec 2 09:48:00 mail2 postfix/anvil[31780]: statistics: max connection rate 18/60s for (smtp:unknown) at Dec 2 09:45:05 Dec 2 09:48:00 mail2 postfix/anvil[31780]: statistics: max connection count 2 for (smtp:62.227.200.84) at Dec 2 09:39:11 Dec 2 09:48:00 mail2 postfix/anvil[31780]: statistics: max message rate 8/60s for (smtp:94.41.154.84) at Dec 2 09:41:35 Dec 2 09:48:00 mail2 postfix/anvil[31780]: statistics: max recipient rate 37/60s for (smtp:41.112.213.24) at Dec 2 09:41:20 Dec 2 09:48:00 mail2 postfix/anvil[31780]: statistics: max cache size 118 at Dec 2 09:43:22 Dec 2 09:58:00 mail2 postfix/anvil[31780]: statistics: max connection rate 18/60s for (smtp:unknown) at Dec 2 09:54:55 Dec 2 09:58:00 mail2 postfix/anvil[31780]: statistics: max connection count 2 for (smtp:117.195.99.27) at Dec 2 09:48:01 Dec 2 09:58:00 mail2 postfix/anvil[31780]: statistics: max message rate 6/60s for (smtp:117.241.193.40) at Dec 2 09:48:56 Dec 2 09:58:00 mail2 postfix/anvil[31780]: statistics: max recipient rate 30/60s for (smtp:84.127.188.202) at Dec 2 09:57:07 Dec 2 09:58:00 mail2 postfix/anvil[31780]: statistics: max cache size 110 at Dec 2 09:51:24 Dec 2 10:10:38 mail2 postfix/anvil[31784]: statistics: max connection rate 16/60s for (smtp:87.238.209.101) at Dec 2 10:06:41 Dec 2 10:10:38 mail2 postfix/anvil[31784]: statistics: max connection count 4 for (smtp:59.95.129.85) at Dec 2 10:02:59 Dec 2 10:10:38 mail2 postfix/anvil[31784]: statistics: max message rate 16/60s for (smtp:87.238.209.101) at Dec 2 10:06:39 Dec 2 10:10:38 mail2 postfix/anvil[31784]: statistics: max recipient rate 76/60s for (smtp:119.155.71.225) at Dec 2 10:06:24 Dec 2 10:10:38 mail2 postfix/anvil[31784]: statistics: max cache size 94 at Dec 2 10:02:22 Dec 2 10:20:38 mail2 postfix/anvil[31784]: statistics: max connection rate 5/60s for (smtp:222.219.138.81) at Dec 2 10:19:19 Dec 2 10:20:38 mail2 postfix/anvil[31784]: statistics: max connection count 3 for (smtp:84.17.11.114) at Dec 2 10:20:13 Dec 2 10:20:38 mail2 postfix/anvil[31784]: statistics: max message rate 5/60s for (smtp:117.196.133.238) at Dec 2 10:11:55 Dec 2 10:20:38 mail2 postfix/anvil[31784]: statistics: max recipient rate 8/60s for (smtp:117.200.74.231) at Dec 2 10:13:42 Dec 2 10:20:38 mail2 postfix/anvil[31784]: statistics: max cache size 52 at Dec 2 10:19:38 Dec 2 10:30:38 mail2 postfix/anvil[31784]: statistics: max connection rate 5/60s for (smtp:222.219.138.81) at Dec 2 10:21:35 Dec 2 10:30:38 mail2 postfix/anvil[31784]: statistics: max connection count 1 for (smtp:212.156.174.232) at Dec 2 10:20:39 Dec 2 10:30:38 mail2 postfix/anvil[31784]: statistics: max message rate 5/60s for (smtp:222.219.138.81) at Dec 2 10:21:37 Dec 2 10:30:38 mail2 postfix/anvil[31784]: statistics: max recipient rate 12/60s for (smtp:59.93.55.211) at Dec 2 10:22:32 Dec 2 10:30:38 mail2 postfix/anvil[31784]: statistics: max cache size 44 at Dec 2 10:27:28 Dec 2 10:40:38 mail2 postfix/anvil[31784]: statistics: max connection rate 8/60s for (smtp:119.152.95.184) at Dec 2 10:34:33 Dec 2 10:40:38 mail2 postfix/anvil[31784]: statistics: max connection count 2 for (smtp:119.152.95.184) at Dec 2 10:33:49 Dec 2 10:40:38 mail2 postfix/anvil[31784]: statistics: max message rate 8/60s for (smtp:119.152.95.184) at Dec 2 10:34:35 Dec 2 10:40:38 mail2 postfix/anvil[31784]: statistics: max recipient rate 64/60s for (smtp:119.152.95.184) at Dec 2 10:34:35 Dec 2 10:40:38 mail2 postfix/anvil[31784]: statistics: max cache size 51 at Dec 2 10:39:07 Dec 2 10:50:38 mail2 postfix/anvil[31784]: statistics: max connection rate 4/60s for (smtp:80.249.81.70) at Dec 2 10:41:15 Dec 2 10:50:38 mail2 postfix/anvil[31784]: statistics: max connection count 3 for (smtp:117.102.44.141) at Dec 2 10:47:29 Dec 2 10:50:38 mail2 postfix/anvil[31784]: statistics: max message rate 4/60s for (smtp:80.249.81.70) at Dec 2 10:41:17 Dec 2 10:50:38 mail2 postfix/anvil[31784]: statistics: max recipient rate 19/60s for (smtp:117.102.44.141) at Dec 2 10:47:35 Dec 2 10:50:38 mail2 postfix/anvil[31784]: statistics: max cache size 64 at Dec 2 10:50:08
So nochmal in die main.cf bez ratelimits geschaut:
anvil_status_update_time = 600s anvil_rate_time_unit = 60s smtpd_client_connection_rate_limit = 50 smtpd_client_connection_count_limit = 10 smtpd_client_message_rate_limit = 50 smtpd_client_recipient_rate_limit = 10 smtpd_client_event_limit_exceptions = $mynetworks, "IP of my mailfirewall" default_process_limit = 500
wenn ich also 20 smtps konfiguriere und im log dann "max connection rate 18/60s" lese, dann scheint es mir naheliegend, dass das 20er limit in Summe überschritten wird. d.h. wenn ich mit "-o smtp_client_connection_count_limit=10" das limit auf 10 setze und mehr als 20smtp konfiguriere, dann erhöhe ich die Wahrscheinlichkeit, dass für nutzmails mehr Ressourcen verbleiben. Und mit smtpd_client_event_limit_exceptions = $mynetworks, "IP of my mailfirewall" kann ich davon ausnahmen machen?
Nope. 18/60s heißt 18 Verbindungen in 60 Sekunden und bezieht sich auf rate limits. Der Wert unter "max connection count" ist der gesuchte, der geht allerdings wohl nicht über 4.
Wie bereits vorher erklärt läßt sich das Problem (alle Verbindungen belegt + Before-Queue-Filter) nicht so einfach lösen.
Gruß
Andreas
Georg Käfer schrieb:
Sympthom:
my postfix/dovecot server stops connection requests on port 25 if the mail reject limit exceeds around 400 per minute.
Port 25 is available but no 220 promt is coming. So I assume not enough smtp or amavis deamons on port 10024 10025 are available.
A short postfix reload “solves” the problem, spammer are gone and connections are free agai for real users.
I did review my master.conf an see:
smtp inet n - n - 20 smtpd
-o smtpd_proxy_filter=localhost:10024
-o content_filter=
But no smtp_client_connection_count_limit is set (a la):
smtp inet n - n - 20 smtpd
-o smtpd_proxy_filter=localhost:10024
-o content_filter=
-o smtp_client_connection_count_limit=10
Question:
I’ve domains where the postfix accepts the smtp directly and I’ve domains which have a mailfirewall in front and refuses smtp from all other servers (mailfirewall = mx).
This mailfirewall does also spam and virus checks and sends the “good” mails than to my postfix server.
I assume that the “smtp_client_connection_count_limit” from above affects my mailfirewall too.
How can I exclude my mailfirewall from this client_connection_count_limit (or how can I set a seperate limit for my mailfirewall) – or makes this no sense and the limit set is best solution?
For this mailfirewall I’ve condfigured in main.cf:
check_recipient_access hash:/etc/postfix/recipient_access
:/etc/postfix/recipient_access:
mydomain.tld check_if_mailfirewall_is_sender
main.cf:
check_if_mailfirewall_is_sender =
check_client_access hash:/etc/postfix/mailfirewall-ip,
check_recipient_access pcre:/etc/postfix/nice_mailfirewall_reject.pcre,
reject
Liebe Gruesse,
Georg
warum hier in englisch ? haste dich vertan ?
postfix-users mailing list postfix-users@de.postfix.org http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Ja - bin's wohl schon so gewohnt. Eigentlich schlimmm. Entschuldige ;-)
Lg Georg
check_client_access hash:/etc/postfix/mailfirewall-ip,
check_recipient_access pcre:/etc/postfix/nice_mailfirewall_reject.pcre,
reject
Liebe Gruesse,
Georg
warum hier in englisch ? haste dich vertan ?
postfix-users mailing list postfix-users@de.postfix.org http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Zitat von Georg Käfer gkaefer@backbone.co.at:
Sympthom: my postfix/dovecot server stops connection requests on port 25 if the mail reject limit exceeds around 400 per minute. Port 25 is available but no 220 promt is coming. So I assume not enough smtp or amavis deamons on port 10024 10025 are available. A short postfix reload "solves" the problem, spammer are gone and connections are free agai for real users.
I did review my master.conf an see:
smtp inet n - n - 20 smtpd -o smtpd_proxy_filter=localhost:10024 -o content_filter=
Das ist der Nachteil an Before-Queue Lösungen. Es ist nicht mehr ohne weiteres möglich viele Client-Verbindungen zu halten.
But no smtp_client_connection_count_limit is set (a la):
smtp inet n - n - 20 smtpd -o smtpd_proxy_filter=localhost:10024 -o content_filter= -o smtp_client_connection_count_limit=10
Das ist etwas besser, aber zwei IP-Adressen die jeweils 10 Connections aufbauen reichen immer noch. Üblicherweise ist es allerdings ein Problem mit den Spam-Zombies die in großer Zahl von vielen IP-Adressen kommen, da sind 20 smtpd einfach zu wenig (siehe oben).
Question: I've domains where the postfix accepts the smtp directly and I've domains which have a mailfirewall in front and refuses smtp from all other servers (mailfirewall = mx). This mailfirewall does also spam and virus checks and sends the "good" mails than to my postfix server. I assume that the "smtp_client_connection_count_limit" from above affects my mailfirewall too. How can I exclude my mailfirewall from this client_connection_count_limit (or how can I set a seperate limit for my mailfirewall) - or makes this no sense and the limit set is best solution?
For this mailfirewall I've condfigured in main.cf: check_recipient_access hash:/etc/postfix/recipient_access
:/etc/postfix/recipient_access: mydomain.tld check_if_mailfirewall_is_sender
main.cf: check_if_mailfirewall_is_sender = check_client_access hash:/etc/postfix/mailfirewall-ip, check_recipient_access pcre:/etc/postfix/nice_mailfirewall_reject.pcre, reject
Der client_connection_count gilt immer soweit ich weiß. Also die "mailfirewall" falls möglich an einen anderen Port umleiten und dort mit -o in master.cf ausschalten, oder die mailfirewall so einstellen das nicht mehr als 10 gleichzeitige Verbindungen aufgemacht werden, was meistens auch ziemlich sinnlos sein dürfte.
Gruß
Andreas
participants (4)
-
Georg Käfer -
lst_hoe02@kwsoft.de -
Ralf Hildebrandt -
Robert Schetterer