Re: [Mailman-Users] Mailman server consuming entire Internet pipe (dualT1)
Thanks for the reply. So it sounds like my iptables rule: iptables -A INPUT -p tcp --dport 25 -j REJECT also blocks outbound mail too. Is there a preferred way to secure mailman SMTP traffic with iptables? In our case, we would just need an inbound filter that only accepts mail from a few hosts, I thought this would do it, but mailman wouldn't send mail with rules like this: # accept mail from two hosts, drop the rest iptables -A INPUT -p tcp -s 192.168.1.245 --dport 25 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.246 --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j REJECT For the queues - I guess it's fine today - still reviewing the logs, and I will use those bin utilities to see the messages, that will be helpful...thanks!! Scott -Original Message- From: Mark Sapiro [mailto:m...@msapiro.net] Sent: Tuesday, November 23, 2010 4:16 PM To: Scott Race; mailman-users@python.org Subject: Re: [Mailman-Users] Mailman server consuming entire Internet pipe (dualT1) Scott Race wrote: Haven't been able to figure out exactly what's up - but I do know if I set an iptables rule to block all inbound port 25 traffic, issues go away - so... So, assuming you are also blocking port 25 connects from the local host via the loopback interface, you are blocking Mailman's connects to Postfix, thus preventing Mailman from connecting to Postfix and the resultant sending from Postfix of whatever Mailman is sending. Take a look at Mailman's queues, particularly virgin, out and retry to see what's there. Use Mailman's bin/dumpdb to see an individual entry's message and metadata or bin/show_quefiles to see one or more entries' messages. [...] At this point I can't tell if I have a Postfix problem or Mailman problem. Any ideas? Thanks!! I suspect the actual network traffic is coming from Postfix sending the stuff that Mailman is delivering to it. The question is what is Mailman doing. Check the queues as above and also Mailman's smtp and perhaps other logs. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mailman server consuming entire Internet pipe (dualT1)
On 11/24/2010 11:16 AM, Scott Race wrote: Thanks for the reply. So it sounds like my iptables rule: iptables -A INPUT -p tcp --dport 25 -j REJECT also blocks outbound mail too. Is there a preferred way to secure mailman SMTP traffic with iptables? In our case, we would just need an inbound filter that only accepts mail from a few hosts, I thought this would do it, but mailman wouldn't send mail with rules like this: # accept mail from two hosts, drop the rest iptables -A INPUT -p tcp -s 192.168.1.245 --dport 25 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.246 --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j REJECT I can't really answer that without knowing much more detail about your Mailman/Barracuda/Postfix configuration, but by default, Mailman delivers output (all list posts and other messages FROM Mailman) via SMTP to the MTA listening on localhost port 25 (127.0.0.1:25). If you reject packets with addressed to port 25, Mailman won't be able to deliver anything. Every message in the out/ queue will result in a connection refused upon attempted delivery and will be logged in Mailman's smtp-failure log and put in the retry/ queue to be retried at intervals of DELIVERY_RETRY_WAIT (default 1 hour) for a total time of DELIVERY_RETRY_PERIOD (default 5 days). Accepting port 25 connects from 192.168.1.245 and 192.168.1.246 probably won't help at all with Mailman's outgoing delivery as those connects come from localhost (127.0.0.1). As far as delivery of Mail to Mailman is concerned, this mail is queued by Postfix in Mailman's queues so it gets to the Barracuda appliance somehow which then delivers it to Postfix on some port other than 25 and Postfix either pipes it to Mailman's mail wrapper based on aliases or perhaps via some script like postfix_to_mailman.py depending on how Postfix is configured, and Mailman's Mail wrapper queues the message for Mailman. If you want to secure all SMTP traffic, I suggest you set up a separate SMTP listener in Postfix on some unused port and tell Mailman to deliver to that port by setting SMTPPORT in mm_cfg.py. Then you can block port 25 with iptables or just configure Postfix to not listen on port 25 at all. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Mailman server consuming entire Internet pipe (dualT1)
Scott Race wrote: Haven't been able to figure out exactly what's up - but I do know if I set an iptables rule to block all inbound port 25 traffic, issues go away - so... So, assuming you are also blocking port 25 connects from the local host via the loopback interface, you are blocking Mailman's connects to Postfix, thus preventing Mailman from connecting to Postfix and the resultant sending from Postfix of whatever Mailman is sending. Take a look at Mailman's queues, particularly virgin, out and retry to see what's there. Use Mailman's bin/dumpdb to see an individual entry's message and metadata or bin/show_quefiles to see one or more entries' messages. [...] At this point I can't tell if I have a Postfix problem or Mailman problem. Any ideas? Thanks!! I suspect the actual network traffic is coming from Postfix sending the stuff that Mailman is delivering to it. The question is what is Mailman doing. Check the queues as above and also Mailman's smtp and perhaps other logs. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org