• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

qmail spawns like mad

T

theladyboo

Guest
Hi guys,

I have a 30 site hosted domain.

When I turn off the domain and leave the others, everything is fine.

When I leave the domain on and move the smtp port to something like 2525 the server doesn't crash, but I don't get any mail.

When I put the domain on and turn the smtp port to 25 my qmail forks like crazy and eventually the machine runs out of memory.

a netstat tnap shows:
tcp 0 0 MYIP:25 THEIR-IP Status (hundreds of these)

my smtp_psa.log file looks like this:

07/7/8@16:14:43: START: smtp pid=24230 from=213.85.112.218
07/7/8@16:14:43: FAIL: smtp fork from=195.190.32.34
07/7/8@16:14:43: FAIL: smtp fork from=62.231.123.131
07/7/8@16:14:43: FAIL: smtp fork from=67.154.143.185
07/7/8@16:14:43: FAIL: smtp fork from=205.179.97.3
07/7/8@16:14:43: FAIL: smtp fork from=213.56.31.30
07/7/8@16:14:43: FAIL: smtp fork from=193.194.138.76
07/7/8@16:14:43: FAIL: smtp fork from=65.82.61.101

I don't have any extra processes running on the server. The domain where this happens has fresh software on it and nothing is running from it just to it.

Any ideas? I really need my email to work.

The whole server has been backed up and restored twice and both times it was this domain--even without software--that killed it.

Oh, I also turned the mail server off for the domain with the problem.

Thanks,
R
 
I take it back. I just did a little bit of testing, as much as I could without having a major outage, and it does it with or without the one domain. In fact, I turned off the domains that are the major php script domains, kill all the qmail processes and started qmail and the problem happened again. :-(
 
Okay, so I guess my question is:

Why when I change the port does it stop? Is somebody directly trying to spam through port 25? Shouldn't the server still work on 2525 and just send out through a different port?

Most of all, how can I stop this madness? I want my mail server back.

Thanks,
R
 
Your server is getting attacked. You should block the attacker at the firewall level. Assuming their IP is 1.2.3.4, run this command:

iptables -I INPUT -p tcp --src 1.2.3.4 -j DROP

Then run the following to save the firewall configuration:
service iptables save

Then, restart xinetd to close the attackers existing connections:

service xinetd restart

If that gives an error about the xinetd service not being present, you're running inetd instead and should run:

service inetd restart

Within about 2 minutes when running netstat you'll see they have no more connections to your server.
 
Hi Server Surgeon,

Thanks for the response. I thought about that, but the IP addresses never repeat twice and they come in 10 to 20 per second. If they're spoofing the IP address somehow then I won't be able to tell what the real IPs are.

I've tried so many things that I'm ready to outsource my mail to another mail server and point the DNS there if possible.

I wanted to try and upgrade qmail to support a bunch of patches I found, but I have no clue if it will work on a Plesk system and my catalog data is much more important than getting my email working.

Thanks!
R
 
I don't think any Plesk patching will help here. But there is a lot you can do before giving up.

First, have you looked at /usr/local/psa/var/log/maillog and determined if the connections are hitting a certain domain? If so, disable mail for that domain.

If the attack is not for a certain domain, but instead they are simply flooding your smtp by IP sending bogus smtp requests, you might be able to use an RBL which blocks open relays. (This assumes the attacker is not spoofing IPs but rather attacking through existing open relays). To try this fix, click on Server -> Mail and add/enable these RBLS:

zen.spamhaus.org
smtp.dnsbl.sorbs.net

If that does not help, I doubt this will but it's worth a try. Install APF firewall and then install the antidos module for it.
 
Thanks. I have to go find rblsmtpd now because it's not in /bin. :rolleyes: I always have roadblocks in what I try to do. It's dimmed in the server control panel and so I wanted to enable it through xinetd, but since it's not there it won't do any good. All the links on here to rblsmtpd are outdated and the one I found will not install.

Don't these people have anything better to do like get lives instead of picking on real business people who are trying to build a company?

Thanks for your help. I'll keep searching :)

R
 
The package you want is psa-qmail-rblsmtpd. You should go to Server -> Updater and then see if it is available. It might be named different, just search for qmail updates.

But I have bad news. I just checked about 4 of the IPs attacking you and only the first was listed in the RBLs I recommended. So it will not help much here. I wish I could help more.
 
Thanks, I found it through the updater. I installed it and a few other things just for fun. So far so good, although something I installed messed with my xinetd info so I had to go redo some with my own preferences.

Thanks for all the help xing my fingers :)
 
You must log in or register to reply here.

Similar threads

Space Monkey
Resolved Issues updating mariaDB-Ubuntu 18.4
Replies
5
Views
3K
Space Monkey
Space Monkey
B
Resolved 503 error after changing php_handler_id for site
Replies
6
Views
2K
bbeckford
B
LinqLOL
Resolved DKIM fails on RHEL7
Replies
2
Views
609
LinqLOL
LinqLOL
L
Resolved Mails marked as Spam
Replies
6
Views
1K
tramvainqueur
tramvainqueur
tkalfaoglu
Issue System cannot fork?
Replies
8
Views
3K
ciB
C
Back
Top