Re: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

newer
What's the story on apache2

older
Linux and forkbomb

Jürgen Mell

18 Mar 2005 18 Mar '05

06:08

Hi, On Friday 18 March 2005 02:40, M. Edwin wrote:

...

Jürgen Mell wrote:

...
Hi List,

Hello

...
today we had an outage of our internet provider. The connection was broken for several hours during which the mail server of the internet provider stored our e-mails. Now after the connection is established again these mails are sent to our own mail server from the provider's server at a pretty high rate.

Our system is SuSE 9.2 with Postfix 2.1.5 as the SMTP server and the SUSEfirewall which comes with 9.2. All current patches are applied.

What is the setting of firewall in connection with SMTP?

FW_SERVICES_EXT_TCP="http https smtp ssh ftp" Adding FW_TRUSTED_NETS=",tcp,25" did not change anything.

...

...
The problem now is that after a small number of mails from our provider the SMTP server does not accept any more connections. Instead it complains about timeouts, lost connections or SMTP EOFs. When telnetting to the server in this state a connection is made but there is no prompt "220 <servername> ESMT Postfix". The only way to fix this I found up to now is restarting Postfix (the cron job does it now every 3 minutes...) but that is only a very crude fix. Even setting the max_use parameter in main.cf to 1 to get a new smtpd for each connection does not help. Has anybody an idea what is causing this behaviour? Is it the firewall or is it Postfix or anything else who is limiting the connections? There are some firewall errors in the logs, but not nearly as many as the lost connections of the SMTP server:

Mar 17 21:52:18 pluto kernel: SFW2-OUT-ERROR IN= OUT=dsl0 SRC=<our IP> DST= LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=3530 DF PROTO=TCP SPT=25 DPT=58506 WINDOW=1404 RES=0x00 ACK RST URGP=0 OPT (0101080A015E41E40C059CEB)

Any help would be greatly appriciated!

How if someone send you email directly, or are there any email you receive after the connection establish again.

Postfix restarts the smtp daemons after some time. Then we can receive mail again for some minutes but after that the system is blocked again.

...

How is the record of your DNS (MX record)?

nslookup with querytype=MX tells <our domain> mail exchanger = 20 . <out domain> mail exchanger = 10 mail.<our domain>. Ciao Jürgen

Attachments:

attachment.sig (application/pgp-signature — 189 bytes)

Show replies by date

M. Edwin

18 Mar 18 Mar

07:04

New subject: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jürgen Mell wrote:

...

FW_SERVICES_EXT_TCP="http https smtp ssh ftp"

Adding

FW_TRUSTED_NETS=",tcp,25"

did not change anything.

It looks Ok.

...

Postfix restarts the smtp daemons after some time. Then we can receive mail again for some minutes but after that the system is blocked again.

Hm........

...

nslookup with querytype=MX tells

<our domain> mail exchanger = 20 . <out domain> mail exchanger = 10 mail.<our domain>.

It's OK too. You wrote this in your previous email Mar 17 21:52:18 pluto kernel: SFW2-OUT-ERROR IN= OUT=dsl0 SRC=<our IP> DST= LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=3530 DF PROTO=TCP SPT=25 DPT=58506 WINDOW=1404 RES=0x00 ACK RST URGP=0 OPT (0101080A015E41E40C059CEB) It seems that when you send an email from your server port 25 to your provider server an error happened in SFW2. (If you have fwlogwatch installed in your systems it can be easier to read the SFW log. Take a look in http://fwlogwatch.inside-security.de/) Can you do a ps auxww | grep postfix and send the result Edwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCOn2FkaMcq796kjoRAikOAJ0bqeIkS+dscbdAB4tSkvL0/6jgGQCfTD1B YmOJ23+2d0TSa8CW16sfTZI= =M14w -----END PGP SIGNATURE-----

John Fawcett

07:27

New subject: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

M. Edwin wrote:

...

Jürgen Mell wrote:

...

It's OK too.

You wrote this in your previous email

...
Mar 17 21:52:18 pluto kernel: SFW2-OUT-ERROR IN= OUT=dsl0 SRC=<our IP> DST= LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=3530 DF PROTO=TCP SPT=25 DPT=58506 WINDOW=1404 RES=0x00 ACK RST URGP=0 OPT (0101080A015E41E40C059CEB)

It seems that when you send an email from your server port 25 to your provider server an error happened in SFW2. (If you have fwlogwatch installed in your systems it can be easier to read the SFW log. Take a look in http://fwlogwatch.inside-security.de/)

Email is never sent from port 25. Email is sent to port 25. The above message (which is likely to be a consequence of another problem) arises during reception of email from a remote server. Maybe the remote server disconnected prematurely, probably because of waiting too long to get a reply. I doubt it's a firewall problem because mail does go through at times. So the real question is why does the mail server become unresponsive. The answer may be in the mail logs (/var/log/mail ?) John

...

Can you do a

ps auxww | grep postfix

and send the result

Edwin

M. Edwin

08:06

New subject: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Fawcett wrote:

...

Email is never sent from port 25. Email is sent to port 25. The above message (which is likely to be a consequence of another problem) arises during reception of email from a remote server.

Maybe the remote server disconnected prematurely, probably because of waiting too long to get a reply. I doubt it's a firewall problem because mail does go through at times.

So the real question is why does the mail server become unresponsive. The answer may be in the mail logs (/var/log/mail ?)

John

Oops... yes you right. mail logs maybe in /var/log/mail.err or alternatively /var/log/mail.info Edwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCOov5kaMcq796kjoRAtf/AJ0YIklPvFZ2MWCAdau49TwjJ9Lq6QCfUMBT SDKT3Bs2r4iLu0wTtysLRDw= =i/j5 -----END PGP SIGNATURE-----

Thomas Hochstein

08:09

New subject: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

John Fawcett schrieb:

...

So the real question is why does the mail server become unresponsive.

"High load", I presume ...

Arjen Runsink

09:25

New subject: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

Hi, On Friday, 18 March 2005 09:09, Thomas Hochstein wrote:

...

John Fawcett schrieb:

...
So the real question is why does the mail server become unresponsive.

"High load", I presume ...

Postfix has some throtteling and concurrency limitation settings. Reviewed your postfix config yet? BB, Arjen

Jürgen Mell

19:09

New subject: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

Hi Arjen, On Friday 18 March 2005 10:25, Arjen Runsink wrote:

...

Hi,

On Friday, 18 March 2005 09:09, Thomas Hochstein wrote:

...
John Fawcett schrieb:

...
So the real question is why does the mail server become unresponsive.

"High load", I presume ...

Postfix has some throtteling and concurrency limitation settings. Reviewed your postfix config yet?

Yes, and I could not find anything here. Also throttling is well, but this type of trottling goes directly to DoS, as nobody else can connect, so this cannot be a throttling effect (unless the throttling is buggy, of course) Jürgen

Jürgen Mell

19:06

New subject: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

Hi John, On Friday 18 March 2005 09:09, Thomas Hochstein wrote:

...

John Fawcett schrieb:

...
So the real question is why does the mail server become unresponsive.

"High load", I presume ...

No, that is not the problem. 4 smtpd daemons do not bring the system down. Its nearly 100% idle while the mails are processed. Jürgen

Jürgen Mell

19:04

New subject: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

Hi, On Friday 18 March 2005 08:27, John Fawcett wrote:

...

M. Edwin wrote:

...
Jürgen Mell wrote:

It's OK too.

You wrote this in your previous email

...
Mar 17 21:52:18 pluto kernel: SFW2-OUT-ERROR IN= OUT=dsl0 SRC=<our IP> DST= LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=3530 DF PROTO=TCP SPT=25 DPT=58506 WINDOW=1404 RES=0x00 ACK RST URGP=0 OPT (0101080A015E41E40C059CEB)

It seems that when you send an email from your server port 25 to your provider server an error happened in SFW2. (If you have fwlogwatch installed in your systems it can be easier to read the SFW log. Take a look in http://fwlogwatch.inside-security.de/)

Email is never sent from port 25. Email is sent to port 25. The above message (which is likely to be a consequence of another problem) arises during reception of email from a remote server.

Maybe the remote server disconnected prematurely, probably because of waiting too long to get a reply. I doubt it's a firewall problem because mail does go through at times.

So the real question is why does the mail server become unresponsive. The answer may be in the mail logs (/var/log/mail ?)

In the logs the problem looks like this: Mar 17 20:11:32 pluto postfix/smtpd[8647]: < mforward.dtag.de[194.25.242.123]: QUIT Mar 17 20:11:32 pluto postfix/smtpd[8647]: > mforward.dtag.de[194.25.242.123]: 221 Bye Mar 17 20:11:32 pluto postfix/smtpd[8647]: disconnect from mforward.dtag.de[194.25.242.123] Mar 17 20:11:32 pluto postfix/smtpd[8647]: connect from mforward.dtag.de[194.25.242.123] Mar 17 20:11:32 pluto postfix/smtpd[8647]: > mforward.dtag.de[194.25.242.123]: 220 pluto.br-tech.de ESMTP Postfix Mar 17 20:11:32 pluto postfix/smtpd[8647]: watchdog_pat: 0x80a18b8 Mar 17 20:12:20 pluto postfix/smtpd[8639]: > mforward.dtag.de[194.25.242.123]: 421 pluto.br-tech.de Error: timeout exceeded Mar 17 20:12:20 pluto postfix/smtpd[8639]: timeout after END-OF-MESSAGE from mforward.dtag.de[194.25.242.123] Mar 17 20:12:20 pluto postfix/smtpd[8639]: disconnect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:20 pluto postfix/smtpd[8639]: connect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:20 pluto postfix/smtpd[8639]: > mforward.dtag.de[194.25.242.123]: 220 pluto.br-tech.de ESMTP Postfix Mar 17 20:12:20 pluto postfix/smtpd[8639]: watchdog_pat: 0x80a18b8 Mar 17 20:12:35 pluto postfix/smtpd[8649]: > mforward.dtag.de[194.25.242.123]: 421 pluto.br-tech.de Error: timeout exceeded Mar 17 20:12:35 pluto postfix/smtpd[8649]: timeout after END-OF-MESSAGE from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: disconnect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: connect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: > mforward.dtag.de[194.25.242.123]: 220 pluto.br-tech.de ESMTP Postfix Mar 17 20:12:35 pluto postfix/smtpd[8649]: watchdog_pat: 0x80a18b8 Mar 17 20:12:35 pluto postfix/smtpd[8649]: smtp_get: EOF Mar 17 20:12:35 pluto postfix/smtpd[8649]: lost connection after CONNECT from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: disconnect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: connect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: > mforward.dtag.de[194.25.242.123]: 220 pluto.br-tech.de ESMTP Postfix Mar 17 20:12:35 pluto postfix/smtpd[8649]: watchdog_pat: 0x80a18b8 Mar 17 20:12:35 pluto postfix/smtpd[8649]: smtp_get: EOF From this point on, none of the smtpd daemons got a connection.

...

...
Can you do a

ps auxww | grep postfix

It's a bit of a problem right now. All the mails have been sent and right now everything works well again. I will try to reproduce the problem on the weekend, for the next outage will come for sure... Thanks, Jürgen

John Fawcett

19 Mar 19 Mar

08:18

New subject: [suse-security] Problem with SuSEfirewall and Postfix SMTP?

Jürgen Mell wrote:

...

In the logs the problem looks like this:

Mar 17 20:11:32 pluto postfix/smtpd[8647]: < mforward.dtag.de[194.25.242.123]: QUIT Mar 17 20:11:32 pluto postfix/smtpd[8647]: > mforward.dtag.de[194.25.242.123]: 221 Bye Mar 17 20:11:32 pluto postfix/smtpd[8647]: disconnect from mforward.dtag.de[194.25.242.123] Mar 17 20:11:32 pluto postfix/smtpd[8647]: connect from mforward.dtag.de[194.25.242.123] Mar 17 20:11:32 pluto postfix/smtpd[8647]: > mforward.dtag.de[194.25.242.123]: 220 pluto.br-tech.de ESMTP Postfix Mar 17 20:11:32 pluto postfix/smtpd[8647]: watchdog_pat: 0x80a18b8 Mar 17 20:12:20 pluto postfix/smtpd[8639]: > mforward.dtag.de[194.25.242.123]: 421 pluto.br-tech.de Error: timeout exceeded Mar 17 20:12:20 pluto postfix/smtpd[8639]: timeout after END-OF-MESSAGE from mforward.dtag.de[194.25.242.123] Mar 17 20:12:20 pluto postfix/smtpd[8639]: disconnect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:20 pluto postfix/smtpd[8639]: connect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:20 pluto postfix/smtpd[8639]: > mforward.dtag.de[194.25.242.123]: 220 pluto.br-tech.de ESMTP Postfix Mar 17 20:12:20 pluto postfix/smtpd[8639]: watchdog_pat: 0x80a18b8 Mar 17 20:12:35 pluto postfix/smtpd[8649]: > mforward.dtag.de[194.25.242.123]: 421 pluto.br-tech.de Error: timeout exceeded Mar 17 20:12:35 pluto postfix/smtpd[8649]: timeout after END-OF-MESSAGE from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: disconnect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: connect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: > mforward.dtag.de[194.25.242.123]: 220 pluto.br-tech.de ESMTP Postfix Mar 17 20:12:35 pluto postfix/smtpd[8649]: watchdog_pat: 0x80a18b8 Mar 17 20:12:35 pluto postfix/smtpd[8649]: smtp_get: EOF Mar 17 20:12:35 pluto postfix/smtpd[8649]: lost connection after CONNECT from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: disconnect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: connect from mforward.dtag.de[194.25.242.123] Mar 17 20:12:35 pluto postfix/smtpd[8649]: > mforward.dtag.de[194.25.242.123]: 220 pluto.br-tech.de ESMTP Postfix Mar 17 20:12:35 pluto postfix/smtpd[8649]: watchdog_pat: 0x80a18b8 Mar 17 20:12:35 pluto postfix/smtpd[8649]: smtp_get: EOF

From this point on, none of the smtpd daemons got a connection.

it looks as though the remote server stops sending further messages and just times out. Further connections from the remote server don't send any data. On a server with enough smtpd processes configured, this wouldn't be a problem. Did you see Mark Samendinger's reply? John

...

It's a bit of a problem right now. All the mails have been sent and right now everything works well again. I will try to reproduce the problem on the weekend, for the next outage will come for sure...

Thanks,

Jürgen

6987

Age (days ago)

6988

Last active (days ago)

List overview

Download

9 comments

5 participants

participants (5)

Arjen Runsink
John Fawcett
Jürgen Mell
M. Edwin
Thomas Hochstein