Page 1 of 1
Postfix Stalling
Posted: 30 Apr 2018 18:43
by shawniverson
eFa 3.0.2.6....I'm not only a developer of eFa, but I'm also a client
postfix is suddenly stalling out on one of my instances....
connect to 127.0.0.1 25 just hangs, no 220 banner. top looks normal....no zombies, etc.
Have to restart postfix, then a few hours later....boom, here we go again. Gave the instance more memory (12Gig, just in case)
Before I rebuild this thing (I ran a restore, still doing it....)....
Any thoughts?
Re: Postfix Stalling
Posted: 30 Apr 2018 19:39
by henk
Feels a bit silly to ask to you, but as you are in the client role now, you did check all basic logs, including Mysql/Modsecurity etc?
You could enable verbose logging: in /etc/postfix/master.cf
Code: Select all
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd -v
service postfix restart
tail -f /var/log/mail.log
Re: Postfix Stalling
Posted: 30 Apr 2018 20:36
by shawniverson
All logs clean, actually too clean, as in, postfix stops logging to maillog, and everything else is just like, dude, feed me some email!
Verbose logging I have not tried, I'll enable and wait and see if that and see if it shows anything...
Re: Postfix Stalling
Posted: 01 May 2018 01:59
by shawniverson
Found the culprit:
Code: Select all
Apr 30 21:48:45 efa postfix/smtpd[32294]: warning: exchange.ctkrhs.org[208.67.34.45]: SASL LOGIN authentication failed: authentication failure
I blocked this intruder at the firewall, and postfix returned to normal. I have no idea what this was trying to do, but it appears to be causing postfix to hang. Some kind of DoS attack over the submission port?
Re: Postfix Stalling
Posted: 02 May 2018 03:18
by pdwalker
was it just one request that was causing the postfix hang, or several in quick succession?
I ask, because until there is a fix, it could happen again from another ip at any time. If it takes more than one request, then fail2ban may protect you next time. If not, well crap.
Re: Postfix Stalling
Posted: 02 May 2018 12:34
by jamerson
Hi Shawin,
i've noticed this last day too on one of our EFA. so i beleive it some kind of DDos or brute force.
i am working with Paul in order to configure fail2ban in order to provide some security.
lately we have a IDS in front of the EFA which keeps the logs clean.
EFA is working fine now
Re: Postfix Stalling
Posted: 02 May 2018 20:42
by shawniverson
pdwalker wrote: 02 May 2018 03:18
was it just one request that was causing the postfix hang, or several in quick succession?
I ask, because until there is a fix, it could happen again from another ip at any time. If it takes more than one request, then fail2ban may protect you next time. If not, well crap.
It was just one request. It appeared to be leaving the connection half open. I have not seen it since blocking this specific one, fortunately, and I can identify it quickly. I think I may look at my IDS and see if I can watch for this type of faulty connection.
Re: Postfix Stalling
Posted: 02 May 2018 21:37
by jamerson
shawniverson wrote: 02 May 2018 20:42
pdwalker wrote: 02 May 2018 03:18
was it just one request that was causing the postfix hang, or several in quick succession?
I ask, because until there is a fix, it could happen again from another ip at any time. If it takes more than one request, then fail2ban may protect you next time. If not, well crap.
It was just one request. It appeared to be leaving the connection half open. I have not seen it since blocking this specific one, fortunately, and I can identify it quickly. I think I may look at my IDS and see if I can watch for this type of faulty connection.
Do you have DNS ports forwarded on the FW to the EFA ?
Re: Postfix Stalling
Posted: 03 May 2018 00:27
by shawniverson
jamerson wrote: 02 May 2018 21:37
Do you have DNS ports forwarded on the FW to the EFA ?
Nope