NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-10

Re: New document: STRESS_README

From: Andreas Grimm (grimm.andreasyahoo.com)
Date: Wed Oct 31 2007 - 09:49:23 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Victor,

it's not the greylist server that slows down the whole thing. Under stress:
#> time netcat 127.0.0.1 2525 < requesttest
action=dunno

real 0m0.012s
user 0m0.004s
sys 0m0.000s

The server still answers stalled. I also tried now to raise the process limit for smtpd from 1500 to 2000. Some seconds later anvil has gone away:

Oct 31 15:30:13 mx-01 postfix/smtpd[12004]: warning: problem talking to server private/anvil: Resource temporarily unavailable
Oct 31 15:29:49 mx-01 postfix/smtpd[11938]: warning: connect to private/anvil: Resource temporarily unavailable

I checked for AppArmor, but it's turned off.

What i noticed too, is that the disconnect after issuing the quit command, took as long as the prior connect under stress. What's the problem here?

BTW: I took an additional look at the anatomy of postfix. I know the difference of smtpd and smtp now. Thanks for the tip.

Andreas

Victor Duchovni <Victor.DuchovniMorganStanley.com> wrote: On Tue, Oct 30, 2007 at 02:55:56PM -0700, Andreas Grimm wrote:

> >> smtp_connect_timeout = 5s
> >> smtp_helo_timeout = 5s
> >
> >Aggressive.
>
> Really? A test with telnet shows that it has no effect. After starting
> a connection with telnet without saying helo it takes the default 5
> minutes until postfix kicks me out. That's strange.

Don't confuse smtp(8) and smtpd(8). Ditch these and just set smtpd_timeout.

> >> smtp_timeout = 60s
> >
> >What is this?
> A type error. Postfix was kind enough to ignore it.

Don't confuse smtp(8) and smtpd(8).

> I will try cdb, and have a look on glds performance during an
> attack,currently it is very silent. What made me wondering too, is that
> the client_restrictions are working not until "rcpt to".

See the docs for "smtpd_delay_reject".

As for the kernel limits, I have not heard of similar per-process limits
in Linux that require kernel rebuilds. Is there some of sort of security
add-on that is preventing master(8) from raising default hard resource
limits?

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]