Barracuda Mail Device / Funny Accounts

[mtindor]

Read my message above.

Make sure that in the Exim Configuration Editor you have whitelisted the barracuda IP address(es) from rate limiting!

Mike

[hostmedic]

File a feature request for OpenLDAP then. I'm sure somebody probably already has one open. Requesting here in the forums isn't going to do any good.

1. :fail does work

I set up my personal domain (on a Cpanel machine) to have its mail scrubbed by our barracuda. i set up my personal domain in the barracuda (I didn't manually add addresses to teh barracuda).

I then sent an email to bobdog@mypersonaldomain.com from my gmail account.

- the email hit the barracuda
- the barracuda connected to the cpanel server to see if bobdog@mypersonaldomain.com existed
- the cpanel server issued a 550
- the barracuda then rejected (during SMTP) the message from my Gmail account
- Gmail sent me a notification that the email was not delivered

2009-09-08 13:44:19 H=(barracuda.mycompany.com) [xx.xxx.xxx.xxx] F=<postmaster@barracudanetworks.com> rejected RCPT <bobdog@mypersonaldomain.com>: No such user here

I got this message back in my Gmail account:

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

bobdog@mypersonaldomain.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 cuda_nsu No such user here (state 14).

Mike

PS: I have the following in my /etc/valiases/mypersonaldomain.com:

*: :fail: No such user here

Been there done that -
now back to the original question

How can we make it so that exim does not take a dump when it has x amount of requests from the same ip.

We have 60 cpanel boxes 4 barracudas and 2 ironports w/ this issue

It might be working if you don't have the large level of email hitting -
when we test box to box - low #'s of email - works like a charm

Now for the box stats

Quad Xeon 3 Ghz 8GB Ram
- hardly childs play machines

[mtindor]

Read my message above.

Make sure that in the Exim Configuration Editor you have whitelisted the barracuda IP address(es) from rate limiting!

Mike

Did you do this? If you don't whitelist the Barracuda servers or if you don't disable ratelimiting completely, you're going to have the Cpanel server ratelimiting if you are sending a ton of mail to it from the same IP address - especially if some of the recipients are invalid recipients.

And I can guarantee that if you aren't manually adding the valid email addresses to the Barracuda and specifically telling the Barracuda to only scan for valid email accounts that you have added, then the Barracuda is going to be checking each of your Cpanel servers for the existence of plenty of nonexistent addresses - and the Cpanel servers are going to ratelimit.

Mike

[hostmedic]

yes - thanks mike for working through this -

each box is not ratelimiting - as we have whitelisted the barracudas and ironports

since we see it on both - tells me its more than just ratelimit :-/
wondering if we can get exim to allow more than just x connections perhaps

we today have blocked over 1 million emails / spam and its only 2PM

busy little clusters -

I am willing to bet yours may show much less - so it might just be a deal of 2 many connections period -

thus back to the question - how can we raise the # of connections we allow from the barracuda to cpanel's exim.

I am convinced the issue is on the side of exim - not the barracuda - or ironport would be working

[cpanelchrish]

taking a shot in the dark here, might be looking for something like

smtp_accept_max
smtp_accept_max_per_host

within exim.conf via the advanced configuration editor menu

(NOTE: with all direct mods, i think the official tag line is "we totally don't formally support it, but here's how you do it anyway...")

I feel silly and paranoid giving that disclaimer, but it's a must I reckon.

[cpanelchrish]

mmmm I love the smell of forum race conditions in the morning

[mtindor]

I'll agree it's an issue on the side of the Cpanel, but I'm sure it's something that can be worked around.

• recipients_max - maximum # of recipients per message
• smtp_accept_max - maximum simultaneous incoming SMTP connections
• smtp_accept_max_per_connection - maximum messages per connection
• smtp_accept_max_per_host - maximum connections from a single host
• smtp_accept_queue - queue mail if more connections than this #
• smtp_accept_queue_per_connection - queue mail if more than # connections from specific host

I suspect you'll need to take a look at what your current values are for those and adjust some of those. One or more of those is going to be your fix

I don't know what kind of pipelining is done between the boxes. Me thinketh the Cpanel logs are going to tell you when you are reaching a maximum limit - should be somewhere in your logs. I'd grep the exim_*log files for "maximum" to see if you get any useful messages indicating that some sort of maximum has been reached.

Mike

[cpanelchrish]

Now with regards to OpenLDAP integration, someone higher on the food chain would have to be consulted for a more formal/extensive response. What I can say having worked a bit with OpenLDAP implementation, supporting this would be beyond non-trivial. Not to say its inclusion doesn't have its merits, but the utility to cPanel/WHM itself...minimal ROI.

The one thing you *could* do if you fancy yourself comfortable enough, last I looked there were a number of scripts for OpenLDAP migration that take /etc/passwd and /etc/shadow, and generate an LDIF from it. A bit of elbow grease and time spent, seems a plausible modification to those scripts - I personally don't have time to do it, and I have zero coding talent so wouldn't trust it anyway.

Not the nice clean LDAP integration youre looking for, and indeed it still leaves you with no better solution than 'hey, just write a script!', but at least some of the leg work has been done already.

[hostmedic]

Now with regards to OpenLDAP integration, someone higher on the food chain would have to be consulted for a more formal/extensive response. What I can say having worked a bit with OpenLDAP implementation, supporting this would be beyond non-trivial. Not to say its inclusion doesn't have its merits, but the utility to cPanel/WHM itself...minimal ROI.

The one thing you *could* do if you fancy yourself comfortable enough, last I looked there were a number of scripts for OpenLDAP migration that take /etc/passwd and /etc/shadow, and generate an LDIF from it. A bit of elbow grease and time spent, seems a plausible modification to those scripts - I personally don't have time to do it, and I have zero coding talent so wouldn't trust it anyway.

Not the nice clean LDAP integration youre looking for, and indeed it still leaves you with no better solution than 'hey, just write a script!', but at least some of the leg work has been done already.

thanks - those are exactly what I was looking for.
In short - i know its a wall we were hitting - max connections

Something tells me most of the smaller folks are not doing anything even close to the # of emails we are across the network -

most have 1 or 2 boxes - no where even close to what we do...
wondering - if we did fly it up the flagpole - who is best to ask -

i think a bounty to support might be worth it ... i agree for the smaller folks - not much roi

i will see if someone on our side can look @ your suggestion

[cpanelchrish]

No idea with regards to typical throughput. Seeing ~1 million filtered is about par for around a 5,000 user shop.

If you can set your filtering appliance to reject upon initial connect rather than waiting for RCPT, this will alleviate a large portion of it (though, users are more likely to complain since e-mail addresses can't be whitelisted).

Think along the lines of smtpd_delay_reject = no within Postfix.

hrmm...seems the scripts aren't bundled with openldap - it's been a good long while since I've done this.

Found em here - http://www.padl.com/download/MigrationTools.tgz

whole laundry list of stuff for your bored coder to hack to pieces

Code:

gentoob0x MigrationTools-47 # ls -alh |grep x
drwxr-xr-x 3  700 root 1.5K Jun 13 18:06 .
drwxr-xr-x 3 root root   88 Jun 12 19:57 ..
-rw-r--r-- 1  700 root  216 Jan 24  2006 CVSVersionInfo.txt
drwxr-xr-x 2  700 root  296 Jan 24  2006 ads
-rwxr-xr-x 1 root root  125 Jun 13 18:03 fixslap.sh
-rwxr-xr-x 1  700 root 2.6K Jan 24  2006 migrate_aliases.pl
-rwxr-xr-x 1  700 root 2.8K Jan 24  2006 migrate_all_netinfo_offline.sh
-rwxr-xr-x 1  700 root 2.8K Jan 24  2006 migrate_all_netinfo_online.sh
-rwxr-xr-x 1  700 root 4.8K Jan 24  2006 migrate_all_offline.sh
-rwxr-xr-x 1  700 root 6.3K Jan 24  2006 migrate_all_online.sh
-rwxr-xr-x 1  700 root 2.7K Jan 24  2006 migrate_base.pl
-rwxr-xr-x 1  700 root 2.9K Jan 24  2006 migrate_fstab.pl
-rwxr-xr-x 1  700 root 2.7K Jan 24  2006 migrate_group.pl
-rwxr-xr-x 1  700 root 2.7K Jan 24  2006 migrate_hosts.pl
-rwxr-xr-x 1  700 root 3.8K Jan 24  2006 migrate_netgroup.pl
-rwxr-xr-x 1  700 root 2.8K Jan 24  2006 migrate_netgroup_byhost.pl
-rwxr-xr-x 1  700 root 2.8K Jan 24  2006 migrate_netgroup_byuser.pl
-rwxr-xr-x 1  700 root 2.8K Jan 24  2006 migrate_networks.pl
-rwxr-xr-x 1  700 root 5.5K Jan 24  2006 migrate_passwd.pl
-rwxr-xr-x 1  700 root 2.4K Jan 24  2006 migrate_profile.pl
-rwxr-xr-x 1  700 root 2.8K Jan 24  2006 migrate_protocols.pl
-rwxr-xr-x 1  700 root 2.7K Jan 24  2006 migrate_rpc.pl
-rwxr-xr-x 1  700 root 9.8K Jan 24  2006 migrate_services.pl
-rwxr-xr-x 1  700 root 3.4K Jan 24  2006 migrate_slapd_conf.pl

The one to get hackin' on would be migrate_passwd.pl

From there, washin' my hands of it, and if it breaks I didn't do it!