OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
lots of "lost connection after" : need help with optimization

From: Proniewski Patrick (Patrick.Proniewskiuniv-lyon2.fr)
Date: Wed Aug 29 2007 - 07:27:19 CDT


Hello,

I'm running a Postfix 2.1.x server with rbl, postgrey, and "before
queue filtering".
As for now, I can count up to 5000 "lost connection after CONNECT"
per hour, with a total of approx 80-90K errors on a daily basis.

I've boosted the smtp max process to 200 in master.cf, but the server
still shows many "lost connection after CONNECT" errors.

When the max process for smtp is set to 100 or 150, I've experienced
delays up to 45-50 seconds between a telnet connect and the banner
display. With 200 process, the delay falls to 0-1 seconds, so I guess
I've found something interesting ;)

In the last 12 hours, I count (lost connection after...):

CONNECT 46522
DATA 33606
MAIL 7508
RCPT 7430
EHLO 122
RSET 34
HELO 28
QUIT 2

I know postgrey and amavisd-new (as before queue content filter) are
responsible for almost every "lost connection after DATA" errors.
What about the other errors ?

relevant part of master.cf :

# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
# content filter : amavisd-new + spamassassin
#
smtp inet n - n - 200 smtpd
     -o smtpd_proxy_filter=127.0.0.1:10024
     -o smtpd_client_connection_count_limit=20
     -o smtpd_proxy_ehlo=amavis.at.univ-lyon2.fr
     -o inet_interfaces=158.84.64.xxx

#
# After-filter SMTP server. Receive mail from the content filter
# on localhost port 10025.
#
127.0.0.1:10025 inet n - n - - smtpd
     -o smtpd_authorized_xforward_hosts=127.0.0.0/8
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o smtpd_data_restrictions=
     -o mynetworks=127.0.0.0/8
     -o receive_override_options=no_unknown_recipient_checks

output of postconf -n :

command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
empty_address_recipient = MAILER-DAEMON
enable_server_options = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_recipient_maps =
local_transport = local
mail_owner = postfix
mailbox_size_limit = 1000000000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10240000
mydestination = $myhostname
        localhost.$mydomain
mydomain = univ-lyon2.fr
mydomain_fallback = localhost
myhostname = mx.univ-lyon2.fr
mynetworks = 127.0.0.1/32,159.84.142.xxx/32,159.84.142.xxx/32
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
notify_classes = resource,software
parent_domain_matches_subdomains =
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
relay_domains = $mydomain
        xxx.univ-lyon2.fr
        yyy.univ-lyon2.fr
relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps
relay_transport = smtp:[159.84.143.xxx]
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_recipient_restrictions = permit_mynetworks,
        reject_unauth_destination,
        check_recipient_access hash:/etc/postfix/recipient_access,
        reject_unlisted_recipient,
        reject_rhsbl_client dynamic.rhs.mailpolice.com,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rhsbl_client blackhole.securitysage.com,
        reject_rhsbl_sender rhsbl.sorbs.net,
        reject_rhsbl_sender dynamic.rhs.mailpolice.com,
        check_client_access hash:/etc/postfix/client_access,
        check_policy_service unix:/var/run/postgrey.sock

smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions = reject_unlisted_sender,
        check_sender_access hash:/etc/postfix/sender_access
        reject_unknown_sender_domain,
        reject_non_fqdn_sender,
        permit

transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
virtual_alias_maps = hash:/etc/postfix/virtual_alias

regards,

Patrick PRONIEWSKI
--
Administrateur Système - SENTIER - Université Lumière Lyon 2