1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

qmail spawns like mad

Discussion in 'Plesk for Linux - 8.x and Older' started by theladyboo, Jul 8, 2007.

  1. theladyboo

    theladyboo Guest

    0
     
    Hi guys,

    I have a 30 site hosted domain.

    When I turn off the domain and leave the others, everything is fine.

    When I leave the domain on and move the smtp port to something like 2525 the server doesn't crash, but I don't get any mail.

    When I put the domain on and turn the smtp port to 25 my qmail forks like crazy and eventually the machine runs out of memory.

    a netstat tnap shows:
    tcp 0 0 MYIP:25 THEIR-IP Status (hundreds of these)

    my smtp_psa.log file looks like this:

    07/7/8@16:14:43: START: smtp pid=24230 from=213.85.112.218
    07/7/8@16:14:43: FAIL: smtp fork from=195.190.32.34
    07/7/8@16:14:43: FAIL: smtp fork from=62.231.123.131
    07/7/8@16:14:43: FAIL: smtp fork from=67.154.143.185
    07/7/8@16:14:43: FAIL: smtp fork from=205.179.97.3
    07/7/8@16:14:43: FAIL: smtp fork from=213.56.31.30
    07/7/8@16:14:43: FAIL: smtp fork from=193.194.138.76
    07/7/8@16:14:43: FAIL: smtp fork from=65.82.61.101

    I don't have any extra processes running on the server. The domain where this happens has fresh software on it and nothing is running from it just to it.

    Any ideas? I really need my email to work.

    The whole server has been backed up and restored twice and both times it was this domain--even without software--that killed it.

    Oh, I also turned the mail server off for the domain with the problem.

    Thanks,
    R
     
  2. theladyboo

    theladyboo Guest

    0
     
    I take it back. I just did a little bit of testing, as much as I could without having a major outage, and it does it with or without the one domain. In fact, I turned off the domains that are the major php script domains, kill all the qmail processes and started qmail and the problem happened again. :-(
     
  3. theladyboo

    theladyboo Guest

    0
     
    Okay, so I guess my question is:

    Why when I change the port does it stop? Is somebody directly trying to spam through port 25? Shouldn't the server still work on 2525 and just send out through a different port?

    Most of all, how can I stop this madness? I want my mail server back.

    Thanks,
    R
     
  4. Server Surgeon

    Server Surgeon Guest

    0
     
    Your server is getting attacked. You should block the attacker at the firewall level. Assuming their IP is 1.2.3.4, run this command:

    iptables -I INPUT -p tcp --src 1.2.3.4 -j DROP

    Then run the following to save the firewall configuration:
    service iptables save

    Then, restart xinetd to close the attackers existing connections:

    service xinetd restart

    If that gives an error about the xinetd service not being present, you're running inetd instead and should run:

    service inetd restart

    Within about 2 minutes when running netstat you'll see they have no more connections to your server.
     
  5. theladyboo

    theladyboo Guest

    0
     
    Hi Server Surgeon,

    Thanks for the response. I thought about that, but the IP addresses never repeat twice and they come in 10 to 20 per second. If they're spoofing the IP address somehow then I won't be able to tell what the real IPs are.

    I've tried so many things that I'm ready to outsource my mail to another mail server and point the DNS there if possible.

    I wanted to try and upgrade qmail to support a bunch of patches I found, but I have no clue if it will work on a Plesk system and my catalog data is much more important than getting my email working.

    Thanks!
    R
     
  6. Server Surgeon

    Server Surgeon Guest

    0
     
    I don't think any Plesk patching will help here. But there is a lot you can do before giving up.

    First, have you looked at /usr/local/psa/var/log/maillog and determined if the connections are hitting a certain domain? If so, disable mail for that domain.

    If the attack is not for a certain domain, but instead they are simply flooding your smtp by IP sending bogus smtp requests, you might be able to use an RBL which blocks open relays. (This assumes the attacker is not spoofing IPs but rather attacking through existing open relays). To try this fix, click on Server -> Mail and add/enable these RBLS:

    zen.spamhaus.org
    smtp.dnsbl.sorbs.net

    If that does not help, I doubt this will but it's worth a try. Install APF firewall and then install the antidos module for it.
     
  7. theladyboo

    theladyboo Guest

    0
     
    Thanks. I have to go find rblsmtpd now because it's not in /bin. :rolleyes: I always have roadblocks in what I try to do. It's dimmed in the server control panel and so I wanted to enable it through xinetd, but since it's not there it won't do any good. All the links on here to rblsmtpd are outdated and the one I found will not install.

    Don't these people have anything better to do like get lives instead of picking on real business people who are trying to build a company?

    Thanks for your help. I'll keep searching :)

    R
     
  8. Server Surgeon

    Server Surgeon Guest

    0
     
    The package you want is psa-qmail-rblsmtpd. You should go to Server -> Updater and then see if it is available. It might be named different, just search for qmail updates.

    But I have bad news. I just checked about 4 of the IPs attacking you and only the first was listed in the RBLs I recommended. So it will not help much here. I wish I could help more.
     
  9. theladyboo

    theladyboo Guest

    0
     
    Thanks, I found it through the updater. I installed it and a few other things just for fun. So far so good, although something I installed messed with my xinetd info so I had to go redo some with my own preferences.

    Thanks for all the help xing my fingers :)
     
Loading...