exim "too many connections" ..how to block in iptables?

[firebit]

lately i'm getting way too many errors like these on my exim_mainlog:

2006-04-25 06:31:03 Connection from [82.253.87.242] refused: too many connections
2006-04-25 06:31:03 Connection from [151.38.243.112] refused: too many connections
2006-04-25 06:31:05 Connection from [81.44.111.148] refused: too many connections
2006-04-25 06:31:06 Connection from [201.254.157.130] refused: too many connections
2006-04-25 06:31:08 Connection from [165.165.237.38] refused: too many connections
2006-04-25 06:31:08 Connection from [217.132.36.246] refused: too many connections

is there any way to automatically block these through iptables? or is there any script available?

[WebViper]

I spoke with BobCares and they said that their is no way a kernel upgrade would solve this issue. If any other people resolved this issue with a kernel upgrade please post it!

Again If any other people resolved this issue with a kernel upgrade please post it!



The stuff Nick and cpanel did did not resolve our issue as we thought!

[ivankovalenko]

Guys, the lines mentioned above are that exim cant accept connections from hosts in square brackets becouse of it has already reahed smtp_max_connect. It's not nessesary that those hosts are evil. Maybe some other ip has smtp'ed your exim up. So you'd better check smtp_accept_max_per_host setting - limit incoming smtp connection from host.

Also you should use your iptables filter at full. Check SYN incoming packets on 25 port and limit it to some reasonable value (man iptables). And so on...

[chirpy]

Indeed. I'm not sure if the second poster is in the wrong thread, since this has nothing to do with the kernel. Your exim connections are being flooded and you need to curtail them as ivankovalenko suggests, or have a trawl over at www.exim.org. Also, make sure that you're not using any exim ACL's that use the delay command which can also make this happen.

[serversphere]

I believe Brute Force Detector (BFD) scans port 25 connections now and will block accordingly. Have a look here and see if you can install it (and APF too if feasable).

[IPSecureNetwork]

uhmm maybe you are unde some kind of attack whit botnet against the port 25..
if you use apf and you not have customers whit ehe CDIR conected to the port 25 .. just block them whit apf -d 151.0.0.0/8 for example or if you want to be a little more specific make thic kind of ban . apf -d 151.38.0.0/8