On Tue, 11 Jun 2024 23:10:07 +0100,
Kirill A. Korinsky <kir...@korins.ky> wrote:
>
> Leak of descriptors is good point. On the same servers I had
> https://www.mail-archive.com/misc@opensmtpd.org/msg06241.html a while ago
> with the same filters which envolved since then a bit, but logic the same.
>
> And for a few hours it had leaked a few descriptiors which I see via fstat,
> so it probably is.
>
> Also, I run two MXs and both of them fails the same way almost the same
> moment, about 5 minutes between them.
>
> I register session / message related things like this:
>
> osmtpd_local_session(auth_session_new, auth_session_free);
> osmtpd_local_message(auth_message_new, auth_message_free);
>
> and I made an assumtion that both free method are called when I call:
>
> osmtpd_filter_disconnect(ctx, "Internal server error");
>
> am I right with that assumtion?
>
and I figured it out. Yes, both issues had the same root cause.
My filter runs a few DNS quereis to walk against SPF and get certificates
for DKIM and ARC signatures.
The last one is called by the code:
if ((query = res_query_async(sig->domain, C_IN, T_TXT, NULL)) == NULL)
osmtpd_err(1, "res_query_async");
if ((sig->query = event_asr_run(query, ar_rr_resolve, sig)) == NULL)
osmtpd_err(1, "event_asr_run");
and in may plan to execute more than one request for the same domain.
After a lot of hours of debuging I've added inside lookup function and
ar_rr_resolve log to print domain and address of sig object.
Well, it had proved that ar_rr_resolve not always call.
Huh.
tcpdump says that local DNS server replies, but the function never called.
The logic of filter is based on assumption that it will be called.
So, no call, it waits forever.
Really forewer.
Now wired things: seems some servers (at least Postfix at mail.nginx.org,
probably not only this) keeps connection... forever.
So, at some point all sockets are consumed by waited connections, and here
I had missbehaviour of filter on error (fixed) which lead to exit of smtpd.
Before I had implemented ARC signatures it uses DNS less and it may work
longer, that allows to achive: Disabling incoming SMTP connections: Client
limit reached.
Probably, after fixing a filter I also may achive that, but much faster.
Anyway, here the question: how should I run DNS queries? I've checked smtpd
code and seems that it is built on the same assumption that ar_rr_resolve
should be called.
Thus, I thought that I made something wrong and tried getrrsetbyname_async
without any success.
--
wbr, Kirill
