The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"проблема с sendmail"
Вариант для распечатки  
Пред. тема | След. тема 
Форумы OpenNET: Виртуальная конференция (Public)
Изначальное сообщение [ Отслеживать ]

"проблема с sendmail"  
Сообщение от Egor347 email on 16-Янв-08, 15:05 
Добрый день, help me please
Есть внешний smtp relay на freebsd & sendmail
Спамеры открывают кучу соединений по 25 порту в результате чего в итоге сервер падает, у него происходит page swap error
по команде ps -ax можно увидеть
6359  ??  S      0:00.11 sendmail: server cpe-76-184-6-178.tx.res.rr.com [76.184.6.178] cmd read (sendmail)
6360  ??  S      0:00.10 sendmail: server c9529e3.cps.virtua.com.br [201.82.9.227] (may be forged) startup (sendmail)
6361  ??  S      0:00.10 sendmail: server r190-132-129-223.dialup.adsl.anteldata.net.uy [190.132.129.223] startup (sendmail)
6362  ??  R      0:00.11 sendmail: server catv-d5deac07.catv.broadband.hu [213.222.172.7] cmd read (sendmail)
6363  ??  S      0:00.10 sendmail: server 84.127.225.27.static.user.ono.com [84.127.225.27] cmd read (sendmail)
6364  ??  S      0:00.10 sendmail: server LAubervilliers-153-51-19-90.w193-253.abo.wanadoo.fr [193.253.190.90] cmd read (sendmail)
6365  ??  S      0:00.13 sendmail: server [85.132.42.84] startup (sendmail)
6368  ??  S      0:00.10 sendmail: server 193.subnet125-161-3.speedy.telkom.net.id [125.161.3.193] (may be forged) startup (sendma
6369  ??  S      0:00.10 sendmail: server adsl-dynamic-pool-xxx.hcm.fpt.vn [118.68.108.132] (may be forged) startup (sendmail)
6370  ??  S      0:00.05 sendmail: startup with 35.59.78.125.broad.qz.fj.dynamic.163data.com.cn (sendmail)
6371  ??  S      0:00.10 sendmail: server [85.103.175.116] startup (sendmail)
6372  ??  S      0:00.10 sendmail: server c9066a18.static.spo.virtua.com.br [201.6.106.24] startup (sendmail)
6373  ??  S      0:00.10 sendmail: server [41.249.44.58] startup (sendmail)
6374  ??  S      0:00.10 sendmail: server adsl-131.92.50.info.com.ph [203.131.92.50] (may be forged) startup (sendmail)
6375  ??  S      0:00.10 sendmail: server illchn-static-203.197.146.34.vsnl.net.in [203.197.146.34] (may be forged) startup (sendm
6376  ??  S      0:00.10 sendmail: server pool-71-126-18-60.bflony.east.verizon.net [71.126.18.60] startup (sendmail)
6377  ??  S      0:00.10 sendmail: server 82.252.104.77.coprosys.cz [77.104.252.82] (may be forged) startup (sendmail)
6378  ??  S      0:00.10 sendmail: server 18924027099.user.veloxzone.com.br [189.24.27.99] (may be forged) startup (sendmail)
6379  ??  S      0:00.10 sendmail: server N604P011.adsl.highway.telekom.at [62.47.19.107] startup (sendmail)
6380  ??  S      0:00.10 sendmail: server [195.131.193.232] startup (sendmail)
6381  ??  S      0:00.09 sendmail: server [193.213.80.103] startup (sendmail)
6382  ??  S      0:00.10 sendmail: server [189.43.102.162] startup (sendmail)
6383  ??  S      0:00.10 sendmail: server 201-74-150-92-sj.cpe.vivax.com.br [201.74.150.92] startup (sendmail)
6384  ??  S      0:00.10 sendmail: server [59.94.180.80] startup (sendmail)
6385  ??  S      0:00.10 sendmail: server ppp-58-10-12-141.revip2.asianet.co.th [58.10.12.141] startup (sendmail)
6386  ??  S      0:00.10 sendmail: server [59.96.177.135] startup (sendmail)
6387  ??  S      0:00.10 sendmail: server [61.60.219.76] startup (sendmail)
6388  ??  S      0:00.10 sendmail: server 220-137-136-45.dynamic.hinet.net [220.137.136.45] startup (sendmail)
6389  ??  S      0:00.09 sendmail: server [189.0.192.228] startup (sendmail)
6390  ??  S      0:00.10 sendmail: server N604P011.adsl.highway.telekom.at [62.47.19.107] startup (sendmail)
6391  ??  S      0:00.10 sendmail: server [117.20.222.131] startup (sendmail)
6392  ??  S      0:00.10 sendmail: server [211.247.97.219] startup (sendmail)
6393  ??  S      0:00.05 sendmail: startup with s203h82o2nst4.dyn.tyfon.se (sendmail)
6394  ??  S      0:00.10 sendmail: server cpe-76-170-215-113.socal.res.rr.com [76.170.215.113] startup (sendmail)
6395  ??  S      0:00.10 sendmail: server [59.96.177.135] startup (sendmail)
6396  ??  S      0:00.05 sendmail: startup with 166.118.93.125.broad.dg.gd.dynamic.163data.com.cn (sendmail)
6397  ??  S      0:00.10 sendmail: server 24.165.48.60.kmr03-home.tm.net.my [60.48.165.24] startup (sendmail)
6398  ??  S      0:00.10 sendmail: server pool-72-83-82-192.washdc.east.verizon.net [72.83.82.192] startup (sendmail)
6399  ??  S      0:00.09 sendmail: server [89.222.150.253] startup (sendmail)
6400  ??  S      0:00.10 sendmail: server [60.54.38.124] startup (sendmail)
6401  ??  S      0:00.05 sendmail: startup with 125-24-212-83.adsl.totbb.net (sendmail)
6402  ??  R      0:00.09 sendmail: server [218.49.226.232] startup (sendmail)
6403  ??  S      0:00.10 sendmail: server ppp91-122-12-161.pppoe.avangard-dsl.ru [91.122.12.161] startup (sendmail)
6404  ??  S      0:00.10 sendmail: server [189.43.102.162] startup (sendmail)
6405  ??  R      0:00.05 sendmail: startup with 87-205-230-98.adsl.inetia.pl (sendmail)
6406  ??  R      0:00.07 sendmail: startup with 193.subnet125-161-3.speedy.telkom.net.id (sendmail)
6407  ??  R      0:00.07 sendmail: startup with digitsystems-95.ip.PeterStar.net (sendmail)
6408  ??  R      0:00.04 sendmail: startup with [79.101.130.140] (sendmail)

И их очень много

вот мой mc файл, может тут что нить можно еще подкрутить

divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
#       The Regents of the University of California.  All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#    must display the following acknowledgement:
#       This product includes software developed by the University of
#       California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
#    may be used to endorse or promote products derived from this software
#    without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#

#
#  This is a generic configuration file for FreeBSD 5.X and later systems.
#  If you want to customize it, copy it to a name appropriate for your
#  environment and do the modifications there.
#
#  The best documentation for this .mc file is:
#  /usr/share/sendmail/cf/README or
#  /usr/src/contrib/sendmail/cf/README
#

divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.30 2005/06/14 02:25:17 gshapiro Exp $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
#
VIRTUSER_DOMAIN_FILE(`/etc/mail/virtuserdomain')
FEATURE(domaintable, `hash -o /etc/mail/domaintable')
FEATURE(genericstable, `hash -o /etc/mail/genericstable')
FEATURE(masquerade_envelope)

dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl       your permission.
dnl FEATURE(relay_based_on_MX)

dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit
dnl http://directory.google.com/Top/Computers/Internet/Abuse/Spa.../

dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr} " rejected, see http://mail-abuse.org/cgi-bin/look
up?" $&{client_addr}')

FEATURE(dnsbl, `bl.spamcop.net', `"550 Mail from " $&{client_addr} " rejected - see http://bl.spamcop.net"')
FEATURE(dnsbl, `cbl.abuseat.org', `"550 Mail from " $&{client_addr} " rejected - see http://cbl.abuseat.org"')
FEATURE(dnsbl, `dnsbl.njabl.org', `"550 Mail from " $&{client_addr} " rejected - see http://dnsbl.njabl.org"')
FEATURE(dnsbl, `dnsbl.sorbs.net', `"550 Mail from " $&{client_addr} " rejected - see http://dnsbl.sorbs.net"')
FEATURE(dnsbl, `list.dsbl.org', `"550 Mail from " $&{client_addr} " rejected - see http://list.dsbl.org"')
FEATURE(dnsbl, `zen.spamhaus.org', `"550 Mail from " $&{client_addr} " rejected - see http://zen.spamhaus.org"')

dnl Dialup users should uncomment and define this appropriately
dnl define(`SMART_HOST', `your.isp.mail.server')

FEATURE(`delay_checks')
FEATURE(`greet_pause', `5000')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)


Заранее спасибо за помощь

Высказать мнение | Ответить | Правка | Cообщить модератору

 Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "проблема с sendmail"  
Сообщение от idle (ok) on 16-Янв-08, 17:28 
>Добрый день, help me please
>Есть внешний smtp relay на freebsd & sendmail
>Спамеры открывают кучу соединений по 25 порту в результате чего в итоге
>сервер падает, у него происходит page swap error

Не должно такого быть.
Сколько соединений открывают?
>вот мой mc файл, может тут что нить можно еще подкрутить

Попробуйте вот это подкрутить:
# maximum number of children we allow at one time
#O MaxDaemonChildren=0
# maximum number of new connections per second
#O ConnectionRateThrottle=0

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

2. "проблема с sendmail"  
Сообщение от Egor347 email on 16-Янв-08, 17:36 
>[оверквотинг удален]
>
>Не должно такого быть.
>Сколько соединений открывают?
>>вот мой mc файл, может тут что нить можно еще подкрутить
>
>Попробуйте вот это подкрутить:
># maximum number of children we allow at one time
>#O MaxDaemonChildren=0
># maximum number of new connections per second
>#O ConnectionRateThrottle=0

сначала пробовал MaxDaemonChildren=100(150)(200) но это не очень помогало, в этом случае, при достижении этого порога 100(150)(200) sendmail переставал открывать нужные сессии , от внутреннего exchange сервера например
убрал этот параметр

потом поставил вот так
define(`confCONNECTION_RATE_THROTTLE', `10')
заметно полегчало

сейчас команда top выдает load averages:  0.01,  0.03,  0.00
пока подкручивать ничего больше не буду понаблюдаю..

Спасибо большое !!


Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

3. "проблема с sendmail"  
Сообщение от idle (ok) on 16-Янв-08, 17:46 
>сначала пробовал MaxDaemonChildren=100(150)(200) но это не очень помогало, в этом случае, при
>достижении этого порога 100(150)(200) sendmail переставал открывать нужные сессии , от
>внутреннего exchange сервера например
>убрал этот параметр

При таком раскладе ботов проще блокировать фаерволом по параметру max src rate.

>потом поставил вот так
>define(`confCONNECTION_RATE_THROTTLE', `10')
>заметно полегчало
>
>сейчас команда top выдает load averages:  0.01,  0.03,  0.00

Для LA тоже есть опция:
# load average at which we delay connections; 0 means no limit
#O DelayLA=0

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

4. "проблема с sendmail"  
Сообщение от Medlar on 16-Янв-08, 17:48 
можно еще попробовать
FEATURE(`ratecontrol') - ограничение кол-ва соединений с одного ip за определенный промежуток времени
FEATURE(`conncontrol') - ограничение одновременных соединений с одного ip
а в access разрешить своим серверам безлимитные подключения
Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

5. "проблема с sendmail"  
Сообщение от universite email(ok) on 17-Янв-08, 01:44 
>можно еще попробовать
>FEATURE(`ratecontrol') - ограничение кол-ва соединений с одного ip за определенный промежуток времени
>
>FEATURE(`conncontrol') - ограничение одновременных соединений с одного ip
>а в access разрешить своим серверам безлимитные подключения

А еще убить спамхаус и другие мертвые rbl.

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

6. "проблема с sendmail"  
Сообщение от egor347 email(??) on 18-Янв-08, 15:07 
Вообщем бился с ними еще весь вчерашний день, в итоге получилось вот так:
( mc - шный файл)

Вроде как работает...

divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
#       The Regents of the University of California.  All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#    must display the following acknowledgement:
#       This product includes software developed by the University of
#       California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its contributors
#    may be used to endorse or promote products derived from this software
#    without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#

#
#  This is a generic configuration file for FreeBSD 5.X and later systems.
#  If you want to customize it, copy it to a name appropriate for your
#  environment and do the modifications there.
#
#  The best documentation for this .mc file is:
#  /usr/share/sendmail/cf/README or
#  /usr/src/contrib/sendmail/cf/README
#

divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.30.2.2 2006/08/23 03:31:00 gshapiro Exp $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
FEATURE(badmx)
#
VIRTUSER_DOMAIN_FILE(`/etc/mail/virtuserdomain')
FEATURE(domaintable, `hash -o /etc/mail/domaintable')
FEATURE(genericstable, `hash -o /etc/mail/genericstable')
FEATURE(masquerade_envelope)
#
dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl       your permission.
dnl FEATURE(relay_based_on_MX)

dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit
dnl http://directory.google.com/Top/Computers/Internet/Abuse/Spa.../

dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr} " rejected, see http://mail-abuse.org/cgi-bin/look
up?" $&{client_addr}')
#
FEATURE(dnsbl, `bl.spamcop.net', `"550 Mail from " $&{client_addr} " rejected - see http://bl.spamcop.net"')
FEATURE(dnsbl, `cbl.abuseat.org', `"550 Mail from " $&{client_addr} " rejected - see http://cbl.abuseat.org"')
FEATURE(dnsbl, `dnsbl.njabl.org', `"550 Mail from " $&{client_addr} " rejected - see http://dnsbl.njabl.org"')
FEATURE(dnsbl, `dnsbl.sorbs.net', `"550 Mail from " $&{client_addr} " rejected - see http://dnsbl.sorbs.net"')
FEATURE(`dnsbl', `dul.ru')

FEATURE(`delay_checks')
FEATURE(`greet_pause', `5000')
FEATURE(`ratecontrol', `nodelay', `terminate')
#
dnl Dialup users should uncomment and define this appropriately
dnl define(`SMART_HOST', `your.isp.mail.server')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confCONNECTION_RATE_THROTTLE', `10')
define(`confMAX_RCPTS_PER_MESSAGE', `50')
define(`confMAX_MESSAGE_SIZE', `10485760')

define(`confTO_CONNECT', `30s')
define(`confTO_IDENT', `0')
define(`confTO_COMMAND', `30s')
define(`confTO_DATABLOCK', `2m')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)


Всем большое спасибо.

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема
Оцените тред (1=ужас, 5=супер)? [ 1 | 2 | 3 | 4 | 5 ] [Рекомендовать для помещения в FAQ]




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру