OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: New document: STRESS_README

From: Andreas Grimm (grimm.andreasyahoo.com)
Date: Tue Oct 30 2007 - 16:55:56 CDT

Hello Victor,

> What errors? Support for epoll() should result in various daemons being
> able to handle more than 1024 file descriptors with no further operator
> intervention.
Before modifying the kernel i got "Too many open files" from anvil and proxymap, with the same version. That made write my experience earlier in the thread.

>> default_destination_concurrency_limit = 1000
>> default_destination_recipient_limit = 1000

> This is insane, why? Where is this mail going? Try the defaults, but use
> a recipient limit of 1000 for feeding any content filters (at lower than
> default concurrency).
You're right. I lowered it to the defaults. I noticed that under such circumstances, i.e. when the server has to handle many connections (>1200 per minute), the incoming and active queue contains very much mails. I thought it might help. A result of many desperate tries to get the things under control.

>> max_use = 800
>
>This does not help, as daemons stick around longer, possibly leading to
>greater concentration of file descriptors on a given proxymap instance.
Sounds interesting, maybe that causes the proxymap error. I decreased.

>> bounce_queue_lifetime = 0
> Why?
Because it's only a incoming mail server. There are no bounces in normal operation, so i try to get rid of it as fast as possible.

>> unknown_address_reject_code = 421
>> unknown_client_reject_code = 421
>> unknown_hostname_reject_code = 421
>
>Not a good idea if using this to reject traffic from legitimate MTAs
>with poor DNS or poorly validated sender addresses.
Just a short experiment. I saw some success, but it was a drop in a bucket.

>> smtp_connect_timeout = 5s
>> smtp_helo_timeout = 5s
>
>Aggressive.
Really? A test with telnet shows that it has no effect. After starting a connection with telnet without saying helo it takes the default 5 minutes until postfix kicks me out. That's strange.

>> smtp_timeout = 60s
>
>What is this?
A type error. Postfix was kind enough to ignore it.

>> in_flow_delay = 2
>
>>Not useful unless attacked by a single client and the active queue
>>is full. Very limited benefit.
Once again a desperate experiment.

I will try cdb, and have a look on glds performance during an attack,currently it is very silent. What made me wondering too, is that the client_restrictions are working not until "rcpt to". From a dialin account to the mailserver with the above setup:
220 mx-01 ESMTP ready
helo test
250 mx-01
mail from: metest.com
250 2.1.0 Ok
rcpt to: metest.com
421 4.7.1 Service unavailable; Client host [91.37.X.X] blocked using zen.spamhaus.org=127.0.0.11; http://www.spamhaus.org/query/bl?ip=91.37.X.X
Why is the connection not dropped directly after the connect?
Thanks for looking at my setup. Nice community!

Andreas

 __________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com