The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

exim connections

Discussion in 'General Discussion' started by sparek-3, Jul 12, 2005.

  1. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    We are having a problem with one of our servers involving SMTP connections. The server seems to be getting a lot of SMTP connection, but it does nothing with the connection. This was causing SMTP connections to be rejected because the maximium number of SMTP connections was being used. I raised the limit to 500 and added a connection timeout to the exim.conf file:

    smtp_accept_max = 500
    smtp_receive_timeout = 10s


    However we are still experiencing problems. The exim_mainlog file will show:

    2005-07-12 09:42:09 SMTP connection from [xx.xx.xx.xx]:57062 I=[aa.aa.aa.aa]:25 (TCP/IP connection count = 398)

    When I search through the exim_mainlogs I don't see where xx.xx.xx.xx ever closes the connection. Its like it is just sitting there doing nothing. Shouldn't it be timing out if it idles for 10 seconds?

    I further found the process ID of the exim child refering to this connection:

    lsof -n -i :25 | grep xx.xx.xx.xx

    This gives a process ID, I then do an strace on this ID:

    Process 12547 attached - interrupt to quit
    read(8,


    and it just sits there. Shouldn't these connection be timing out? How can I prevent these connections from piling up. The xx.xx.xx.xx in the above example is just one IP I see in the logs. There is nothing to indicate that it is one IP or one set of IPs over and over again. Exim configuration isn't really my strong suit, any help you can offer would be greatly appreciated.

    Thanks
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Just an update, I was running Exim 4.50 on the server. I have since upgraded to Exim 4.51 through /scripts/eximup. I'm not sure if that will make any difference. The connections do not seem to be piling up, but they would reset when running 4.50 whenever I restarted exim and they would do fine until they reach some type of limit. I would only start noticing the connections once they reached 300 or so.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Have you added any other modifications to exim.conf? This type of problem can happen rapidly if you use any ACL modifications that teergrub (tarpit) connections using the delay directive.
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Hi Chirpy

    Just so you know the exim 4.51 didn't seem to help. I was just watching the server and the connections were again piling up.

    I have clamav/exiscan added to the exim.conf. I also have your dictionary attack added. These were the only things that were added when I first started noticing the problem. I added the forged HELO/EHLO that is detailed at http://www.rvskin.com/index.php?page=public/antispam#4.3 to see if that would help. It does not appear to be helping, but I have left it there.

    I'm not familiar with teergrubing. I did some quick searches and it seems to involve delaying mail responses. None of the ACL modifications I have pertain to this, do they?

    Again, thanks for any help you can offer.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    They do apply if you are using the delay = Xs commands which I would recommend that you remove.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Thanks.

    There were some 3 second delays in the HELO/EHLO forgery ACL. I have commented those out, and I will see how things go from there.
     
  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Even with the delays commented out, I am still seeing the connection count increasing. Any other ideas? Anybody else have any suggestions?
     
  8. Higgins

    Higgins Well-Known Member

    Joined:
    Jan 31, 2003
    Messages:
    82
    Likes Received:
    0
    Trophy Points:
    6
    Im havening exactly the same Problem since today. Looks like a type of dos Attack over the Exim Server. Any suggestions ?
     
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I never could figure it out, so as a last ditch effort I tried resetting exim to its defaults with:

    /scripts/reseteximtodefaults

    and so far I haven't noticed any more problems. This will remove any changes you have made to your exim installation though.

    I have left it running this way for a couple of days to make sure there aren't any more problems. I need to add exiscan and the dictionary attack ACL back to the configuration, but I haven't done that yet. I am planning on installing them one at a time, and leaving it setup that way for a couple of days to see if I can determine if either of those causes the problem. I have the same setup on numerous other servers and have not had any of these problems.

    You can try resetting exim to default, and see if that helps you, it may have just been a coincidence with my case.
     
Loading...

Share This Page