[Mimedefang] Process limits and loads

listuser at numbnuts.net listuser at numbnuts.net
Wed Apr 30 16:24:12 EDT 2003 

On Wed, 30 Apr 2003, David F. Skoll wrote:

> On Wed, 30 Apr 2003 listuser at numbnuts.net wrote:
> 
> > Now I know these are temp errors and that delivery will be attempted many
> > more times.  It's about a 50/50 split between errors for Sendmail and
> > errors for sm-msp-queue.  I believe the problem is that I have more
> > Sendmail processes than MIMEDefang processes.
> 
> That's OK, because a given MIMEDefang process isn't kept busy for the
> whole duration of an SMTP transaction.  The MIMEDefang slaves are used
> in short bursts after MAIL FROM:, RCPT TO: and the end of DATA.
> 
> > define(`confMAX_DAEMON_CHILDREN',`60')
> 
> I would not limit MAX_DAEMON_CHILDREN at all.  It opens you up to a
> DoS attack -- someone just needs to open 60 SMTP connections to your
> machine and then do nothing.
> 
> It's better to let the OS limit the children naturally by running out
> of resources.

I've unfortunately been on the receiving end of not a DoS attack but a
spam attack.  One of our lovely friends from Florida didn't do a very good
job of mixing his mailing lists up to lessen the load on the recipients.  
Ie, we were on the receiving end of thousands of connections over a
multi-hour stretch.  Besides legit mail not getting through, the users
weren't even able to POP their mail out.  The machine was spirling to an
ugly death when I caught it.  I managed to get his provider to boot him
because of it but it's a wack-a-mole solution.  I'd rather limit the total 
number of connections and be vulnerable to a simple open-connection attack 
than let it get pounded uncontrollably until it breaks. :(

> > I just increased MX_MAXIMUM to 15 from 10 this morning.  Checking the logs
> > I see that it has actually helped.
> 
> That's good.  With 1GB of RAM, my rule of thumb of 16MB/slave says you
> can make MX_MAXIMUM as high as 64.  I would do that, and then keep
> an eye on the highest number of slaves that actually get used.

I'll probably play with the number some more and see if I can find a 
middle ground.  Thanks for the info

Justin

More information about the MIMEDefang mailing list