Re: Postfix crashing under load

Mon, 08 Sep 2008 10:24:31 -0700 

Devdas Bhagat wrote:
> The last error messages I get are these:
> Sep  8 13:54:37 jaundiced-outlook postfix/smtp[7998]: warning: problem 
> talking to service private/scache: Connection timed out
> Sep  8 13:54:37 jaundiced-outlook postfix/smtp[20375]: warning: problem 
> talking to service private/scache: Connection timed out
> Sep  8 13:54:37 jaundiced-outlook postfix/smtp[7960]: warning: problem 
> talking to service private/scache: Connection timed out
> Sep  8 13:54:37 jaundiced-outlook postfix/smtp[17618]: warning: problem 
> talking to service private/scache: Connection timed out
> <snip about 600 similar lines about this problem>
> Sep  8 14:10:56 jaundiced-outlook postfix/master[11125]: fatal: watchdog 
> timeout
> Sep  8 14:10:56 jaundiced-outlook postfix/qmgr[13568]: fatal: watchdog timeout
>
>
> postconf -n is:
>   
[...]
> relay_domains = regexp:/etc/postfix/relay
> relay_recipient_maps = regexp:/etc/postfix/relay
>   

This looks potentially bad to me, but without knowing what is in that
/etc/postfix/relay map, it's hard to judge.
> relayhost = [redacted-trap]
>   

> smtpd_recipient_restrictions =        check_policy_service 
> inet:[127.0.0.1]:2025
>                               check_sender_access 
> hash:/etc/postfix/sender_access
>                               check_client_access 
> hash:/etc/postfix/aol_server_rejects
>                               check_client_access 
> hash:/etc/postfix/dnswl_rejects
>                               check_client_access 
> hash:/etc/postfix/whitelisted_clients
>                               check_recipient_access 
> hash:/etc/postfix/recipient_access
>                               reject_invalid_hostname
>                               reject_unknown_hostname
>                               reject_rbl_client cbl.abuseat.org
>                               reject_rbl_client dnsbl.sorbs.net
>                               reject_rbl_client aspews.ext.sorbs.net
>                               reject_unauth_destination
>   

This is a potential open relay.
If check_sender_access returns or check_recipient_access an OK, then it
is.  They should return permit_auth_destination for the simple fact that
they are easily forged.  Easy fix: move reject_unauth_destination to the
first position

Employ and enforce SASL for untrusted networks.
> This is a heavily loaded server. Suggestions on cause(s) and fixes?
>
>   
Rethink your "relay" service or post more on what is in the maps discussed.

Spammers can eat you alive if you let them.

Brian

Reply via email to