[Mimedefang] nasty multiplexor death
David F. Skoll
dfs at roaringpenguin.com
Tue Apr 27 15:32:18 EDT 2004
On Tue, 27 Apr 2004, Adam Lanier wrote:
> Apr 27 13:47:31 krusty mimedefang[27573]: mfconnect: Error
> communicating with multiplexor
Does the multiplexor process actually die?
> Looks like what happens is I get bombarded by a huge amount of
> simultaneous connections at once, the multiplexor maxes out processes
> and queueing, the queued messages start timing out and the multiplexor
> starts generating these types of errors:
> Apr 27 03:52:10 krusty sendmail[11446]: i3R5p4v0011446: Milter
> (mimedefang): to error state
That's actually a Sendmail error.
> define(`confQUEUE_LA', `12')dnl
> define(`confREFUSE_LA', `18')dnl
QUEUE_LA does much more damage than anything else; raise it to 5000.
(i.e., you *never* want to just queue because of a high load average.)
REFUSE_LA of 18 is too low for Linux; raise it to 50 or so.
> define(`confCONNECTION_RATE_THROTTLE', `3')dnl
That's OK.
> define(`confMAX_DAEMON_CHILDREN', `24')dnl
That's probably too aggressive; raise it to around 100 - 150.
> Has anyone else seen this type of behavior and are my settings in
> order? I'm thinking I might tweak the queue_la/refuse_la settings
> down a bit.
Is /var/spool/MIMEDefang on a RAM disk?
> One final thing, I have been playing with a script that uses the
> MX_NOTIFIER feature, assuming that I would see these errors in the
> output from the multiplexor and thus be able to programmatically reqct
> to them but I see no such output. Should I be seeing this type of
> output and, if so, what would it look like?
The NOTIFIER feature is used for something completely different; see
the mimedefang-notify(7) man page. That man page has a sample Perl
script with Linux firewall rules that reject SYN packets on port 25
when there are no free slaves, and accepts them when there is a free slave
again. THat might help your server withstand an attack.
Regards,
David.
More information about the MIMEDefang
mailing list