SMTP Issues?

orge · Post by **orge** » Thu Sep 06, 2007 3:16 pm

Hi,

I'm having problems with the SMTP relaying for both incoming and outgoing mail. The errors are somewhat eratic, timeouts/delivery failures/lossed connections etc. I've noticed that there has been an increase in the volume of attempted relays for spam and it's my gut feeling that this may be causing denial of service - it doesn't appear that the relays are successful, but the number of connections is very high.

I normally have an Astaro mail proxy between the server and internet, but that's currently out of service. I intend to get it back up and running, as this will almost certainly solve the issues with outgoing mail. However, is there anything else I can do to imrpove the situation?

Thanks in advance for your help,

James

Post by **MailEnable-Ben** » Fri Sep 07, 2007 2:23 am

The service should be able to cope with the connections without issue. The only thing that will happen if the service meets its limit, is a returned temporary error to the client. But as you have not mentioned this then it would appear the high volume of connections is not the issue here.

For the errors it is best to concentrate on one error and find out why this is happening. Start with the error that is happening the most.

bozak · Post by **bozak** » Fri Sep 07, 2007 7:04 pm

I am also having SMTP issues. SMTP server will not send messages, and the logs look like someone is spoofing my IP(?) and just flooding the SMTP with spam.

I would estimate that about 95% of all traffic to my mail server are non legitimate.

OF course, ME works great for a while, and then someone SOMEHOW finds out ALL the unpublished email addresses (weird ones as well), and then those accounts get crushed with SPAM.

Aside from restarting SMTP service, what can I do to take back control of the SMTP server?

I'd post the logs, but am afraid, it would just expose the holes in my ME setup even further.

I have all the normal relay prevention stuff set up, and for the most part, don't have problems.

Right now though ... SMTP server is not accepting connections from anyone but the spammers.

I have read the KB but couldn;t find anything that fixed it.

HELP?

Post by **MailEnable-Ben** » Mon Sep 10, 2007 12:07 am

It sounds like you may be concentrating on the wrong things. The best way here is to work out what is happening when the SMTP service is failing for legitimate customers. IE What errors do you get? What do you see happening?

If you want to stop the dictionary attacks on the server the best way I have seen so far is through the implementation of grey listing. To implement this feature you can wait for a few weeks and then upgrade to our version 3 product or you can immediately download and install a proxy firewall, something like E-Wall will do the job. Grey listing will immediately drop a first time connection and wait for the remote server to retry which most spammers tend not to do.

orge · Post by **orge** » Wed Sep 12, 2007 8:29 pm

Looking at the logs and transcripts from rejected messages, the two common errors seem to be:
connection dropped - server busy
access denied

It seems probable that these are being caused by the repeated dictionary attacks on the SMTP server. We do have some Astaro Firewall hardware which could resolve this, but it's currently awaiting RMA and return...

I'm also chasing our ISP for a solution, but I'm not located near the branch office and limited to what I can implement remotely...

Thanks for your help,

James

Post by **MailEnable-Ben** » Thu Sep 13, 2007 1:13 am

Access denied is fine that means that the sender is not authorized and is getting dropped but the "connection dropped - server busy" error may be helped by increasing the SMTP threads, change the threads on the inbound to be 64 or 100 this will not affect your service a great deal and will help you with the rejecting because of the dictionary attacks as it will give some connections time to timeout.

orge · Post by **orge** » Thu Sep 13, 2007 7:26 am

Ok, will increase the threads.

The "access denied" error also cropped up in the transcripts for a couple of emails which should have been delivered (indeed they did come through on a later attempt). However, I can't seem to find the entries in our logs to make sure...

I have all spam blocking systems turned off and at least *some* mail is being relayed internally - leading me to believe there is not a problem with these settings.

J

Post by **MailEnable-Ben** » Tue Sep 18, 2007 4:37 am

The "access denied" error also cropped up in the transcripts for a couple of emails which should have been delivered (indeed they did come through on a later attempt). However, I can't seem to find the entries in our logs to make sure...

Not sure how this could be the case, either the sender is allowed to send mail through your server or they are not. I doubt whether there would be a problem in this area as we would very quickly be made aware if authentication was failing on relay.

It is possible that the client is not hitting your server when they try to send in which case the authentication will fail due to the users details not being listed on the remote server they are trying to send through. It maybe a good idea to check the client details to ensure the SMTP server being used is yours. Also check on a per incident basis against your SMTP logs and compare any entries to the error in the client.