• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Postix connections overload

E

euphbasio

Basic Pleskian
Hello all,

One of our systems has just started to show thousands of the below in its maillog, and performace is severely affected. Load balance is high.

Can anyone help with suggested solutions?

Many thanks.


Oct 3 10:58:24 pluto postfix/smtpd[27231]: lost connection after UNKNOWN from unknown[118.97.95.73]
Oct 3 10:58:24 pluto postfix/smtpd[27231]: disconnect from unknown[118.97.95.73]
Oct 3 10:58:24 pluto postfix/smtpd[27234]: lost connection after UNKNOWN from TOROON63-1279387425.sdsl.bell.ca[76.65.231.33]
Oct 3 10:58:24 pluto postfix/smtpd[27234]: disconnect from TOROON63-1279387425.sdsl.bell.ca[76.65.231.33]
Oct 3 10:58:24 pluto postfix/smtpd[27493]: lost connection after UNKNOWN from unknown[114.143.108.231]
Oct 3 10:58:24 pluto postfix/smtpd[27493]: disconnect from unknown[114.143.108.231]
Oct 3 10:58:24 pluto postfix/smtpd[27616]: connect from unknown[37.254.224.200]
Oct 3 10:58:25 pluto postfix/smtpd[27203]: lost connection after UNKNOWN from unknown[41.218.9.216]
Oct 3 10:58:25 pluto postfix/smtpd[27203]: disconnect from unknown[41.218.9.216]
Oct 3 10:58:25 pluto postfix/smtpd[27145]: connect from unknown[46.210.173.16]
Oct 3 10:58:25 pluto postfix/smtpd[27493]: connect from unknown[197.243.40.102]
Oct 3 10:58:25 pluto postfix/smtpd[27133]: lost connection after UNKNOWN from unknown[41.223.40.124]
Oct 3 10:58:25 pluto postfix/smtpd[27133]: disconnect from unknown[41.223.40.124]
Oct 3 10:58:25 pluto postfix/smtpd[27600]: lost connection after UNKNOWN from unknown[95.7.219.177]
Oct 3 10:58:25 pluto postfix/smtpd[27600]: disconnect from unknown[95.7.219.177]
Oct 3 10:58:25 pluto postfix/smtpd[27632]: lost connection after UNKNOWN from unknown[111.68.32.149]
Oct 3 10:58:25 pluto postfix/smtpd[27632]: disconnect from unknown[111.68.32.149]
Oct 3 10:58:25 pluto postfix/smtpd[27204]: connect from 41.252.7.226.ADSL.ZS1.dynamic.ltt.ly[41.252.7.226]
Oct 3 10:58:25 pluto postfix/smtpd[27213]: lost connection after UNKNOWN from unknown[41.71.150.55]
Oct 3 10:58:25 pluto postfix/smtpd[27213]: disconnect from unknown[41.71.150.55]
Oct 3 10:58:25 pluto postfix/smtpd[27215]: lost connection after UNKNOWN from unknown[87.252.141.24]
Oct 3 10:58:25 pluto postfix/smtpd[27215]: disconnect from unknown[87.252.141.24]
^XOct 3 10:58:25 pluto postfix/smtpd[27491]: lost connection after UNKNOWN from unknown[178.131.156.36]
Oct 3 10:58:25 pluto postfix/smtpd[27491]: disconnect from unknown[178.131.156.36]
Oct 3 10:58:25 pluto postfix/smtpd[27194]: lost connection after UNKNOWN from 239.106.94.80.static.monaco.mc[80.94.106.239]
Oct 3 10:58:25 pluto postfix/smtpd[27194]: disconnect from 239.106.94.80.static.monaco.mc[80.94.106.239]
Oct 3 10:58:26 pluto postfix/smtpd[27133]: connect from unknown[2.180.59.173]
Oct 3 10:58:26 pluto postfix/smtpd[27092]: lost connection after UNKNOWN from unknown[41.72.1.94]
Oct 3 10:58:26 pluto postfix/smtpd[27092]: disconnect from unknown[41.72.1.94]
 
Hi,

Thanks, though I'm not sure that's the problem. True enough the RDNS wasn't up to date, but it is now and I'm still seeing hundreds of failed connections.

Could you give any other suggestions?

Thanks,
 
Hey,

Does anyone have any hints for this one? Users are having a lot of difficulty connecting to send mail and I'm not sure where to go from here.

Thanks,

Nick
 
Can anyone help? My email is not working :(

My parallels outgoing anti-spam says that it's had 40,000 clean emails from 127.0.0.1 which is odd.

I am using a relay host and these haven't actually been sent anywhere. The postqueue is also empty.

Confused about this.
 
Last edited:
Hi

I am currently receiving the exactly the same. In my case it is a DoS attack and it looks like yours is the same. I am also getting a 'Keep Alive' DoS attack on one of the website of the same domain which started at the same time - about 3 weeks ago! So you may want to check for that also?

I have used Fail2Ban/IPset to ban the IPs but after a week (with over 70,000 IPs banned and hardly slowed!) I realised that the overhead of banning, what are almost certainly spoof IP addresses, was higher than leaving them to it. Since then, it is still there, annoyingly, in the background but the server is stable and the attacks use very little resources. I keep a careful eye on it to see if they have changed tactics, but so far still the same. I know there is a 'Keep Alive' DoS attack package available for download (I have downloaded it and it is ridiculously easy to set up and attack a website! It is fully automated, so you just leave it to go.) so I assume there is probably a very similar thing for the SMTP attack :-(

Edit: On the subject of your Parallels Outgoing Anti-Spam - Have you checked that your licence is valid for this product? There have been a LOT of cases where people have the service listed as available to the them, but when you start it, it runs OK for a while but then starts to give all sorts of problems (such as causing a MASSIVE CPU overhead on Postfix). Supposedly, these problems do not occur if the licence is valid, but I am not too sure about this. From what I can see, they have pulled sales of the product but I may be wrong on that.
 
Last edited:
Hi,

Thanks for your reply.

I've been digging around a bit on this and the level of traffic isn't THAT high and it suspiciously started at the same time as I am seeing sasl authentication problems from *some* email clients. I'm feeling that there is another issue at play.

I know that some of the dropped connections in my maillog (lost connection after UNKNOWN) are from customers' ips), so it looks like they're being booted before the SMTP conversation can take place.

Interestingly, if I telnet to the mail server from my home connection, the first command e.g. ehlo test.com always gives a "502 5.5.2 Error: command not recognized", the second attempt everything works fine. If that is happening some some other clients, would that explain the dropped connections?

Saying that, I've used various email server test facilities and they generally work fine.

Any suggestions very much appreciated.

Ooh, my outbound anti spam license is valid, the numbers went haywire when the above issue started. A bit odd :s
 
So I paid for support for this. So far the technical guys have left 2 typos in config files and broken passwd.db.

I've figure out the problem as being Parallel Anti Spam blocking 127.0.0.1. Could do with some instruction on viewing blocked addresses and managing the block list (effectively).
 
You must log in or register to reply here.

Similar threads

S
Question Spammer in the server, how to find him
Replies
7
Views
941
mow
M
B
Issue ERROR MAIL error:0A000102:SSL
Replies
1
Views
2K
Peter Debik
P
V
Issue Mail settings for Nextcloud Extension (local Plesk/Postfix as relay)
Replies
0
Views
668
Volans
V
X
Issue Email sent from the other party is not dropped
Replies
3
Views
625
scsa20
scsa20
U
Question Postfix TLS issue
Replies
5
Views
1K
Kaspar
K
Back
Top