AW: [Mimedefang] SMTP error return after DATA?

Martin Bene martin.bene at icomedias.com
Fri May 9 10:01:02 EDT 2003 

Hi Michael,

>The only problem with that is my server goes to it's knees 
>about once a day when it gets flooded with a large number of 
>connections at once.  
>Let's also assume that he's opening ~50-100 concurrent
>connections at a time (which I've also seen). 

> I guess my problem is that all of my internal users use the primary
> exchanger as their SMTP relay, but that's the way it's been for years, and
> changing this means reconfiguring 1000+ desktops.

Yes, that would have been the obvious answer - have an INTERNAL relay machine
for the local users so they don't notice when the external server gets
overloaded. Might be possible to change this without touching the clients;
can you make the DNS server the clients use answer with the (new) address of
an internal relay server?

> If anyone has any other suggestions other than hardware upgrades I'd love
to
> hear them...

I've run into exactly the same problem; it's especially bad if you've got a
server that accepts mail for lots of domains (~550 in my case): Some MTAs
(*cough* exchange *cough*) don't realize that those domains all use the same
mx and can/should therefore be sent serialized in a single connection but
instead try to send them in parallel using hundreds of concurrent
connections.

However I've found quite an efficient fix for this problem using iptables on
linux: the "iplimit" iptables module allows you to restrict the number of
concurrent connections to a service on a per host basis; I've set this to
<=10, so each remote system can establish at the most 10 concurrent
connections; further connection requests are firewalled.

snippet from the firewall script:
---------------------------------

iptables=/usr/local/sbin/iptables

# log packet and drop it
$iptables -A log_reject -m limit --limit 5/m -j LOG
$iptables -A log_reject -j REJECT

# input
# Limit new smtp connections to 10 per host - this should take care of stupid
# exchange servers trying to open hundreds of concurrent smtp sessions when
sending mail
# to several domains at once.
$iptables -A INPUT -p tcp --syn --dport smtp -m iplimit --iplimit-above 10 -j
log_reject

I've been using this in production for ~6 months now - works like a charm and
reliably keeps server load at a reasonable level without limiting normal
operations.

Bye, Martin

More information about the MIMEDefang mailing list