Outgoing email is having serious issues...

Good morning all.

I’ve opened up a support ticket with this as well, but I wondered if the group might have any ideas as well.

Since late last week, I’ve been having intermittent problems with authenticated outgoing email from my domains. From a number of different email clients on a number of different domains, if I try to send a message to an outside domain, the mail client gets stuck on connecting and eventually times out. If I telnet into port 25, I get the “Connected to” and “Escape char” messages, but no banner response. In addition, if I log into Nodeworx, the Overview shows SMTP stopped, but if I go to the MTA page it shows all services running normally. Rebooting the server makes the problem go away for a little while, but it comes back in less than a day. This seems to have started following the update to 3.03 on Thursday night, but I can’t be sure of it.

Either way, I’ve got some VERY upset customers and need to get this resolved asap. If anyone has any ideas what to look for on this, I’d be more than appreciative.

Thanks in advance. I’m really curious to see what this is, but it is vital that I get it fixed prior to people coming back to work next week.

Thank you.

Phil Malmstrom
philm@diamondcomputer.com

InterWorx support to the rescue again…

Hi everyone.

Just a follow-up to say that Socheat seems to have found my issue and it’s been corrected (on a Sunday morning I might add…).

It seems that the number of incoming connection requests has been on a drastic rise recently, apparently from spammers starting to hit a couple of my customers’ domains, and the incoming limit was being reached. I bumped the limit and have been monitoring it, and for the moment all appears well.

Thanks to the InterWorx team for once again setting the bar for customer service.

Phil Malmstrom
philm@diamondcomputer.com

I’ve noticed a few times that NodeWorx shows SMTP down but then I refresh the page or go to MTA and its on. This would affect inbound and outbound emails so I’ve been keeping a close eye on this.

I also got an alert from the monitor site I use and showed it down with the following message: “Socket timeout after 10 seconds.”

I guess I will try bumping the number of connections a bit to see if this helps.

What did you set yours too if you dont mind sharing that information.

The new settings…

Hi Justin.

I set mine up to 100, and haven’t had a problem since. Watching it, I’ve found it interesting that over the weekend the number of inbound connections reported by tailing /var/log/smtp/current has been as high as 40 (the old maximum was set to 30…the default) and most of my customers are businesses…Not emailing over the weekend. I’ll be very curious to see what it gets up to during the workweek.

Have a good afternoon.

Phil Malmstrom
philm@diamondcomputer.com

I get a ton of spam messages especially to one account. Probably about 80% of all the email coming into my server is dropped by either one of my two RBLs.

My SMTP logs dont go back more than 20-30 mins. Not sure if this is normal or just b/c of the amount of crap logged.

That’s normal behavior for those logs. I have a couple of RBLs and they block quite a bit as well…Amazing the way email has become abused, isn’t it.

Either way, I hope that setting helps you as well.

Take care.

Phil Malmstrom
philm@diamondcomputer.com

A follow up…

Ok, I thought I’d post a follow-up message about what I’m experiencing and see what everyone else thinks.

As mentioned earlier in the thread, I bumped the incoming cap up to 100 from 30, and all seemed fine for a day or so. Today I noticed further delays and when looking into it found that the 100 incoming connections cap was being hit. I have 2 RBLs in the list which reject quite a bit, but I’m guessing they’re not rejecting enough. Watching the logs for a while, I’ve noticed that there’s a lot of repeated attempts from some IPs. Now, I have the brute force detector (bfd) software running for ssh and ftp, but I know it doesn’t parse the smtp logs. Is there anything anyone is using for smtp flood detection that seems to help?

All input is as always, greatly appreciated.

Phil Malmstrom
philm@diamondcomputer.com