Thank you for your help.
I finely decided to do some homework and learn more about the qpsmtpd.
I found that the goodrcptto plugin int the qpsmtpd is doing what I was looking for.
http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch"A qmail server will normally accept email for any recipient address at a domain.
This patch causes the server to reject single recipient email to an invalid
recipient, and filter out the invalid recipients from multiple recipient email,
while accepting the message for the valid recipients.
This occurs during the initial SMTP conversation for a reduction in disk I/O.
The server rejects attempts to queue messages to non existent recipients, and joe job bounces to forged recipients, preventing them from becoming double bounces."
What is still happening is that hundards of emails with hundards of email addresses in each email is hitting the server to the point that the qpsmtpd locks.
Under the /var/service/qpsmtpd/control/plugins shows the order of what is checked with each email.
_____________________________________________________________
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at
http://wiki.contribs.org/development/#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_sm
tp no enable_ssmtp yes
check_earlytalker
count_unrecognized_commands 4
# bcc disabled
check_relay
check_norelay
require_resolvable_fromhost
check_basicheaders
# rhsbl disabled
dnsbl
check_badmailfrom
check_badrcptto_patterns
check_badrcptto
check_spamhelo
check_goodrcptto extn -
# check_smtp_forward not required
rcpt_ok
virus/pattern_filter check=patterns action=deny
tnef2mime
spamassassin reject_threshold 10 munge_subject_threshold 5
virus/clamav clamscan_path=/usr/bin/clamdscan action=reject max_size=25000000
queue/qmail-queue
_____________________________________________________________
NOTE: The email is checked with 11 plugins before it checked against the goodrcptto list and when it hits the goodrcptto plugin it checks each and every email address in the email slowing the system while more emails are coming in. With 100-300 emails every 5 mins it is causing qpsmtp to lockup forcing a reboot.
check_earlytalker
count_unrecognized_commands 4
check_relay
check_norelay
require_resolvable_fromhost
check_basicheaders
dnsbl
check_badmailfrom
check_badrcptto_patterns
check_badrcptto
check_spamhelo
check_goodrcptto extn -
NOTE: What I did was moved the goodrcptto plugin before the dnsbl to keep the system from wasting resources.
_____________________________________________________________
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at
http://wiki.contribs.org/development/#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_sm
tp no enable_ssmtp yes
check_earlytalker
count_unrecognized_commands 4
# bcc disabled
check_relay
check_norelay
require_resolvable_fromhost
check_basicheaders
check_goodrcptto extn -
# rhsbl disabled
dnsbl
check_badmailfrom
check_badrcptto_patterns
check_badrcptto
check_spamhelo
# check_smtp_forward not required
rcpt_ok
virus/pattern_filter check=patterns action=deny
tnef2mime
spamassassin reject_threshold 10 munge_subject_threshold 5
virus/clamav clamscan_path=/usr/bin/clamdscan action=reject max_size=25000000
queue/qmail-queue
_____________________________________________________________
Does anyone think if this will case any issues with the system. While watching the /var/log/qpsmtpd/current - log I see that bouges emails are being denied before wasting resources.
On the same webpage it talks about dictionary attacks which the emails that are coming in looks like.
"To prevent dictionary attacks, the transmission channel is closed after the
number of bad recipients set in control/brtlimit or BRTLIMIT, two by default.
Repeated attempts from the same IPs may be handled by a cron that looks at the
logs and updates tcprules accordingly."
Does anyone know anything about "brtlimit" that it is talking about.
Thanks...