Koozali.org: home of the SME Server

sme 9.2 smtp problem (qpsmtpd)

Offline Catton

  • *
  • 36
  • +0/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #15 on: October 17, 2018, 11:38:41 PM »
OK I read
https://forums.contribs.org/index.php/topic,53769.0.html
Is this "Too many connections: 10 >= 10.  Waiting one second" an external DoS attack on the mail-server.
Or is it an internal attack by a rogue local workstation ?

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #16 on: October 18, 2018, 01:27:43 AM »
It is external attacks (it's a cloud hosted box so has no real 'local' clients) but they effectively overload the mail server so our users experience delayed sending via the server.

The point is you can tell nothing without looking at your logs......

Don't guess. Don't just try things in the vague hope they will fix the issue.

Be methodical and careful, and start by looking for issues in your logs.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #17 on: October 18, 2018, 01:57:04 PM »
There should be data in the sqpsmtpd log file above the "Too many connections:" entries showing what systems are using up your 10 connections -- or run
  netstat -an |grep :465.*EST
at the command line to see what systems have active, open connections on port 465.

Once you have the active IPs you can 'grep' the sqpsmtpd logs for more details (grep for the IP to get the connection number, then grep for the connection number to get full details of the transaction).  Here are some wiki notes on digging info out of the email log files: https://wiki.contribs.org/Mail_log_file_analysis.

"qplogtail" (attached to Bug 3418) lists qpsmtpd activity, but only looks at /var/log/qpsmtpd/current.  You could download that script and edit line 8 to use 'sqpsmtpd/current', instead of 'qpsmtpd/current' ("tail -f /var/log/sqpsmtpd/current \")

If the connections are used up by remote systems, you might want to look into Fail2ban.

If the connections are used up by local IPs, you might have an infected workstation -- or you may simply have a user who sent an attachment that is too large (it sits in the outbox in Outlook and is continuously retried until you find it and delete it from the sender's outbox).

If the problem is an oversized outbound email from a local user, you might not see anything in the qpsmtpd logs - this wiki section describes the components involved in email size limits: https://wiki.contribs.org/Email#Set_max_email_size

[edit]
added missing closing parenthesis
« Last Edit: October 18, 2018, 02:06:59 PM by mmccarn »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #18 on: October 18, 2018, 08:10:45 PM »
The +10 situ in the other thread I pointed out may be a possible cause in this instance but he needs to check his logs.

To save confusion I'll reply specifically on that thread so we don't confuse this one.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline tomeratch

  • *
  • 24
  • +0/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #19 on: October 21, 2018, 08:27:49 AM »
Omg mmccarn you just saved me a  load of confusion there ... thats exactly it .. I ran: netstat -an |grep :465.*EST
and found connections from external Ip's allays established from China ..if i let it be the connections from external ip's gets high sqpsmtp dies as I mentioned.
Thank you so much mmccarn..
so now that I know what the problem is how can i block it? how do i know which user name and password do they use to connect? thank you very much in advance ..

here is an example of a connection:
2018-10-21 10:52:24.638416500 22364 Accepted connection 4/10 from 49.72.92.97 / Unknown
2018-10-21 10:52:24.804155500 22364 Connection from Unknown [49.72.92.97]
2018-10-21 10:52:24.804157500 22364 in config(plugins)
2018-10-21 10:52:24.804157500 22364 config(plugins): hook returned (0,)
2018-10-21 10:52:24.804157500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804158500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804158500 22364 Loading hosts_allow from /usr/share/qpsmtpd/plugins/hosts_allow
2018-10-21 10:52:24.804159500 22364 hosts_allow hooking pre-connection
2018-10-21 10:52:24.804159500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804168500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804168500 22364 Loading peers from /usr/share/qpsmtpd/plugins/peers
2018-10-21 10:52:24.804169500 22364 in config(peers/0)
2018-10-21 10:52:24.804169500 22364 config(peers/0): hook returned (0,)
2018-10-21 10:52:24.804169500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804170500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804170500 22364 (init) peers: Loading tls ssl/cert.pem ssl/cert.pem ssl/cert.pem ssl/dhparam.pem from /usr/share/qpsmtpd/plugins/tls
2018-10-21 10:52:24.804174500 22364 (init) peers: Loading auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_smtp yes enable_ssmtp yes from /usr/share/qpsmtpd/plugins/auth/auth_cvm_unix_local
2018-10-21 10:52:24.804176500 22364 (init) peers: Loading earlytalker from /usr/share/qpsmtpd/plugins/earlytalker
2018-10-21 10:52:24.804176500 22364 (init) peers: Loading bogus_bounce from /usr/share/qpsmtpd/plugins/bogus_bounce
2018-10-21 10:52:24.804183500 22364 (init) peers: Loading count_unrecognized_commands 4 from /usr/share/qpsmtpd/plugins/count_unrecognized_commands
2018-10-21 10:52:24.804184500 22364 (init) peers: Loading relay from /usr/share/qpsmtpd/plugins/relay
2018-10-21 10:52:24.804184500 22364 (init) peers: Loading helo policy lenient reject naughty from /usr/share/qpsmtpd/plugins/helo
2018-10-21 10:52:24.804185500 22364 (init) peers: Loading resolvable_fromhost from /usr/share/qpsmtpd/plugins/resolvable_fromhost
2018-10-21 10:52:24.804192500 22364 (init) peers: Loading headers from /usr/share/qpsmtpd/plugins/headers
2018-10-21 10:52:24.804192500 22364 (init) peers: Loading loadcheck max_load 7 from /usr/share/qpsmtpd/plugins/loadcheck
2018-10-21 10:52:24.804193500 22364 (init) peers: Loading sender_permitted_from reject 1 no_dmarc_policy 0 from /usr/share/qpsmtpd/plugins/sender_permitted_from
2018-10-21 10:52:24.804194500 22364 (init) peers: Loading dkim reject 0 from /usr/share/qpsmtpd/plugins/dkim
2018-10-21 10:52:24.804209500 22364 (init) peers: Loading dmarc reject 0 reporting 1 from /usr/share/qpsmtpd/plugins/dmarc
2018-10-21 10:52:24.804210500 22364 (init) peers: Loading naughty reject mail from /usr/share/qpsmtpd/plugins/naughty
2018-10-21 10:52:24.804211500 22364 (init) peers: Loading badmailfrom from /usr/share/qpsmtpd/plugins/badmailfrom
2018-10-21 10:52:24.804217500 22364 (init) peers: Loading badrcptto more_badrcptto badrcptto_ext from /usr/share/qpsmtpd/plugins/badrcptto
2018-10-21 10:52:24.804218500 22364 (init) peers: Loading check_goodrcptto extn - from /usr/share/qpsmtpd/plugins/check_goodrcptto
2018-10-21 10:52:24.804219500 22364 (init) peers: Loading rcpt_ok from /usr/share/qpsmtpd/plugins/rcpt_ok
2018-10-21 10:52:24.804219500 22364 (init) peers: Loading tnef2mime from /usr/share/qpsmtpd/plugins/tnef2mime
2018-10-21 10:52:24.804223500 22364 (init) peers: Loading queue/qmail-queue from /usr/share/qpsmtpd/plugins/queue/qmail-queue
2018-10-21 10:52:24.804224500 22364 peers hooking valid_auth
2018-10-21 10:52:24.804224500 22364 peers hooking set_hooks
2018-10-21 10:52:24.804225500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804225500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804225500 22364 in config(tls_ciphers)
2018-10-21 10:52:24.804228500 22364 config(tls_ciphers): hook returned (0,)
2018-10-21 10:52:24.804229500 22364 in config(tls_protocols)
2018-10-21 10:52:24.804229500 22364 config(tls_protocols): hook returned (0,)
2018-10-21 10:52:24.804230500 22364 tls: ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2018-10-21 10:52:24.804230500 22364 tls hooking connect
2018-10-21 10:52:24.804230500 22364 tls hooking ehlo
2018-10-21 10:52:24.804231500 22364 tls hooking helo
2018-10-21 10:52:24.804231500 22364 tls hooking rcpt
2018-10-21 10:52:24.804234500 22364 tls hooking mail
2018-10-21 10:52:24.804234500 22364 tls hooking data
2018-10-21 10:52:24.804235500 22364 tls hooking post-connection
2018-10-21 10:52:24.804241500 22364 tls hooking unrecognized_command
2018-10-21 10:52:24.804241500 22364 (set_hooks) running plugin: peers
2018-10-21 10:52:24.804242500 22364 in config(peers/0)
2018-10-21 10:52:24.804242500 22364 config(peers/0): hook returned (0,)
2018-10-21 10:52:24.804242500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804243500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804243500 22364 in config(peers/0)
2018-10-21 10:52:24.804243500 22364 config(peers/0): hook returned (0,)
2018-10-21 10:52:24.804247500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804247500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804248500 22364 peers hooking valid_auth
2018-10-21 10:52:24.804248500 22364 peers hooking set_hooks
2018-10-21 10:52:24.804248500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804249500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804249500 22364 logging::logterse hooking queue
2018-10-21 10:52:24.804249500 22364 logging::logterse hooking deny
2018-10-21 10:52:24.804253500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804253500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804253500 22364 in config(tls_ciphers)
2018-10-21 10:52:24.804254500 22364 config(tls_ciphers): hook returned (0,)
2018-10-21 10:52:24.804254500 22364 in config(tls_protocols)
2018-10-21 10:52:24.804254500 22364 config(tls_protocols): hook returned (0,)
2018-10-21 10:52:24.804255500 22364 tls: ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
2018-10-21 10:52:24.804258500 22364 tls hooking connect
2018-10-21 10:52:24.804259500 22364 tls hooking ehlo
2018-10-21 10:52:24.804259500 22364 tls hooking helo
2018-10-21 10:52:24.804259500 22364 tls hooking rcpt
2018-10-21 10:52:24.804260500 22364 tls hooking mail
2018-10-21 10:52:24.804260500 22364 tls hooking data
2018-10-21 10:52:24.804266500 22364 tls hooking post-connection
2018-10-21 10:52:24.804266500 22364 tls hooking unrecognized_command
2018-10-21 10:52:24.804266500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804267500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804267500 22364 auth::auth_cvm_unix_local hooking auth-plain
2018-10-21 10:52:24.804267500 22364 auth::auth_cvm_unix_local hooking auth-login
2018-10-21 10:52:24.804268500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804268500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804277500 22364 earlytalker hooking connect
2018-10-21 10:52:24.804277500 22364 earlytalker hooking data
2018-10-21 10:52:24.804278500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804278500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804278500 22364 bogus_bounce hooking data_post
2018-10-21 10:52:24.804279500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804279500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804279500 22364 count_unrecognized_commands hooking unrecognized_command
2018-10-21 10:52:24.804283500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804283500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804284500 22364 relay hooking connect
2018-10-21 10:52:24.804284500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804284500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804285500 22364 helo hooking helo
2018-10-21 10:52:24.804285500 22364 helo hooking ehlo
2018-10-21 10:52:24.804285500 22364 helo hooking data_post
2018-10-21 10:52:24.804288500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804289500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804289500 22364 resolvable_fromhost hooking mail
2018-10-21 10:52:24.804289500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804297500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804297500 22364 headers hooking data_post
2018-10-21 10:52:24.804297500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804298500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804298500 22364 loadcheck hooking connect
2018-10-21 10:52:24.804298500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804299500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.804299500 22364 sender_permitted_from hooking mail
2018-10-21 10:52:24.804303500 22364 sender_permitted_from hooking data_post_headers
2018-10-21 10:52:24.804303500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.804304500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.816836500 22364 dkim hooking data_post_headers
2018-10-21 10:52:24.816874500 22364 in config(plugin_dirs)
2018-10-21 10:52:24.816898500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:24.913119500 22347 Plugin queue::qmail_2dqueue, hook queue returned OK, Queued! 1540108344 qp 22360 <006001d46912$fb83e580$f28bb080$@com>
2018-10-21 10:52:24.913346500 22347 250 Queued! 1540108344 qp 22360 <006001d46912$fb83e580$f28bb080$@com>
2018-10-21 10:52:24.913717500 22347 DESTROY called by Qpsmtpd::SMTP, /usr/share/perl5/vendor_perl/Qpsmtpd/SMTP.pm, 65
2018-10-21 10:52:24.915034500 22347 unlinked  /var/spool/qpsmtpd/1540108341:22347:0
2018-10-21 10:52:24.922766500 22364 dmarc hooking data_post_headers
2018-10-21 10:52:25.008780500 22364 dmarc hooking data_post
2018-10-21 10:52:25.008781500 22364 in config(plugin_dirs)
2018-10-21 10:52:25.008781500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:25.008782500 22364 naughty hooking data_post
2018-10-21 10:52:25.008782500 22364 naughty: registering hook mail
2018-10-21 10:52:25.008782500 22364 naughty hooking mail
2018-10-21 10:52:25.008783500 22364 in config(plugin_dirs)
2018-10-21 10:52:25.008783500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:25.008784500 22364 badmailfrom hooking mail
2018-10-21 10:52:25.008796500 22364 in config(plugin_dirs)
2018-10-21 10:52:25.008796500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:25.008796500 22364 badrcptto hooking rcpt
2018-10-21 10:52:25.008797500 22364 in config(plugin_dirs)
2018-10-21 10:52:25.008797500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:25.008797500 22364 check_goodrcptto hooking rcpt
2018-10-21 10:52:25.008798500 22364 in config(plugin_dirs)
2018-10-21 10:52:25.008798500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:25.008805500 22364 rcpt_ok hooking rcpt
2018-10-21 10:52:25.008806500 22364 in config(plugin_dirs)
2018-10-21 10:52:25.008806500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:25.008806500 22364 tnef2mime hooking data_post
2018-10-21 10:52:25.008807500 22364 in config(plugin_dirs)
2018-10-21 10:52:25.008807500 22364 config(plugin_dirs): hook returned (0,)
2018-10-21 10:52:25.008807500 22364 queue::qmail_2dqueue hooking queue
2018-10-21 10:52:25.008808500 22364 Plugin peers, hook set_hooks returned DECLINED

how is this possible? he is connected as :"unknown" ? is it a security issue with the server?
« Last Edit: October 21, 2018, 10:15:53 AM by tomeratch »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #20 on: October 21, 2018, 01:19:53 PM »
Quote
how is this possible? he is connected as :"unknown" ? is it a security issue with the server?

Yes they can connect as unknown but it should get caught by a plugin and dropped. Your log doesn't appear to show the end of the transaction (22364) to see that happening.

In your instance you may find geoip helps (can't see you have it installed)

Check the bugs and foros for geoip2 to use the updated maxmind dbs.

It isn't a security issue per se as your server doesn't seem to have compromised. However it is a DoS if your mail server is getting wedged.

Your log doesn't exhibit the same issue as the '10 connections' thread so I think these may be 2 different issues so please be careful not to confuse the two.

If you have a '10 connection' problem reply in the other thread. If not then stay here.

Can you try and show the whole of the transaction 22364 so we can see what happens at the end? Grep the log for 22364.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #21 on: October 21, 2018, 03:52:13 PM »
...now that I know what the problem is how can i block it? how do i know which user name and password do they use to connect? thank you very much in advance ..
...

You need to find out if there is already a qpsmtpd plugin that identifies the bad connections, or some other method of blocking those connections.

If there is a qpsmtpd plugin that might work, you would find it by finding an offending IP, searching the qpsmtpd logs for that IP to get a connection ID, then searching for the connection ID to get the full details of the bad connection:
Code: [Select]
# Step 1: Confirm that qpsmtpd "LogLevel" is 6 or more
config show qpsmtpd |grep LogLevel
Quote
     LogLevel=6

Code: [Select]
# Step 2: Get any offending IP address
netstat -an |grep ":465.*EST"
# I can't provide sample output here; I don't have any open connections.  I searched my log file to find an IP that was denied
# I will use '186.225.32.26'

Code: [Select]
# Step 3: Get the sqpsmtpd connection ID that is being used by the offending IP
# Notes - using "/*qpsmtpd/current" will search both qpsmtpd and sqpsmtpd logs at the same time
grep '186.225.32.26' /var/log/*qpsmtpd/current

Quote
/var/log/qpsmtpd/current:@400000005bc8bd48004c9b54 5765 Accepted connection 0/40 from 186.225.32.26 / Unknown
/var/log/qpsmtpd/current:@400000005bc8bd480053cf14 5765 Connection from Unknown [186.225.32.26]
/var/log/qpsmtpd/current:@400000005bc8bd4a21d20ee4 5765 (deny) logging::logterse: ` 186.225.32.26   # Unknown            helo   903   no rDNS for 186.225.32.26   msg denied before queued
/var/log/qpsmtpd/current:@400000005bc8bd4a21d75e44 5765 550 no rDNS for 186.225.32.26

Code: [Select]
# Step 4: search your logs for the the connection ID
# (I am searching for <space>5765<space> in this example to avoid matching random time stamps)
grep ' 5765 ' /var/log/*qpsmtpd/current
Quote
/var/log/qpsmtpd/current:@400000005bc8bd48004c9b54 5765 Accepted connection 0/40 from 186.225.32.26 / Unknown
/var/log/qpsmtpd/current:@400000005bc8bd480053cf14 5765 Connection from Unknown [186.225.32.26]
/var/log/qpsmtpd/current:@400000005bc8bd49380a4294 5765 (connect) earlytalker: pass, not spontaneous
/var/log/qpsmtpd/current:@400000005bc8bd49383482fc 5765 (connect) relay: skip, no match
/var/log/qpsmtpd/current:@400000005bc8bd493845e81c 5765 (connect) check_badcountries: GeoIP Country: BR
/var/log/qpsmtpd/current:@400000005bc8bd493a3976d4 5765 (connect) dnsbl: karma -1 (-1)
/var/log/qpsmtpd/current:@400000005bc8bd493a3d3f94 5765 (connect) dnsbl: fail, NAUGHTY, zen.spamhaus.org
/var/log/qpsmtpd/current:@400000005bc8bd493a5071a4 5765 220 office.mmsionline.us ESMTP
/var/log/qpsmtpd/current:@400000005bc8bd4a1b40fb6c 5765 dispatching EHLO laurentamaki.com
/var/log/qpsmtpd/current:@400000005bc8bd4a21c43fbc 5765 (ehlo) helo: karma -1 (-2)
/var/log/qpsmtpd/current:@400000005bc8bd4a21c6e384 5765 (ehlo) helo: fail, no rDNS
/var/log/qpsmtpd/current:@400000005bc8bd4a21d20ee4 5765 (deny) logging::logterse: ` 186.225.32.26   Unknown            helo   903   no rDNS for 186.225.32.26   msg denied before queued
/var/log/qpsmtpd/current:@400000005bc8bd4a21d75e44 5765 550 no rDNS for 186.225.32.26
/var/log/qpsmtpd/current:@400000005bc8bd4a21da9e4c 5765 click, disconnecting

This tells us that the attempted connection is identified by both the dnsbl and helo plugins -- so we might be able to block it by changing the settings to one or the other of those plugins.

In fact, this connection was blocked on my server because I followed this process and modified the behavior of the helo plugin to block it outright instead of marking it "naughty" as was done by the dnsbl plugin.  You can read more in this forum post (with a misleading subject) and this bug.

If no plugins are being triggered, the next step I would take would be to research the IP address using mxtoolbox:
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a186.225.32.26&run=toolpage

If there is a blacklist that is listing the offending IP address, I could have blocked this connection by enabling that block list.  I then use this script to see what *else* would have been blocked by the new blocklist (to avoid over blocking):
https://wiki.contribs.org/Email_Statistics#Display_messages_that_would_have_been_blocked_via_DNSBL

If there is not new-and-safe blocklist you can use, you might need a new function - like fail2ban or geoip.

Ultimately I setup 'update-ipsets' from 'firehol' as described here:
https://forums.contribs.org/index.php?topic=53302.0
(1. These notes are not-ready-for-prime-time, and 2. These notes are not for the faint of heart)

Offline tomeratch

  • *
  • 24
  • +0/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #22 on: October 21, 2018, 04:09:13 PM »
Thanx everyone
Sorry for overlapping to other posts.
I found that blocking the addresses with the open sessions solves the problem (until they switch ip)
here is the log you requested:
Code: [Select]
@400000005bcc30422fee706c 22364 Connection from Unknown [49.72.92.97]
@400000005bcc30422fee783c 22364 in config(plugins)
@400000005bcc30422fee783c 22364 config(plugins): hook returned (0,)
@400000005bcc30422fee783c 22364 in config(plugin_dirs)
@400000005bcc30422fee7c24 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422fee7c24 22364 Loading hosts_allow from /usr/share/qpsmtpd/plugins/hosts_allow
@400000005bcc30422fee800c 22364 hosts_allow hooking pre-connection
@400000005bcc30422fee800c 22364 in config(plugin_dirs)
@400000005bcc30422feea334 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422feea334 22364 Loading peers from /usr/share/qpsmtpd/plugins/peers
@400000005bcc30422feea71c 22364 in config(peers/0)
@400000005bcc30422feea71c 22364 config(peers/0): hook returned (0,)
@400000005bcc30422feea71c 22364 in config(plugin_dirs)
@400000005bcc30422feeab04 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422feeab04 22364 (init) peers: Loading tls ssl/cert.pem ssl/cert.pem ssl/cert.pem ssl/dhparam.pem from /usr/share/qpsmtpd/plugins/tls
@400000005bcc30422feebaa4 22364 (init) peers: Loading auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_smtp yes enable_ssmtp yes from /usr/share/qpsmtpd/plugins/auth/auth_cvm_unix_local
@400000005bcc30422feec274 22364 (init) peers: Loading earlytalker from /usr/share/qpsmtpd/plugins/earlytalker
@400000005bcc30422feec274 22364 (init) peers: Loading bogus_bounce from /usr/share/qpsmtpd/plugins/bogus_bounce
@400000005bcc30422feeddcc 22364 (init) peers: Loading count_unrecognized_commands 4 from /usr/share/qpsmtpd/plugins/count_unrecognized_commands
@400000005bcc30422feee1b4 22364 (init) peers: Loading relay from /usr/share/qpsmtpd/plugins/relay
@400000005bcc30422feee1b4 22364 (init) peers: Loading helo policy lenient reject naughty from /usr/share/qpsmtpd/plugins/helo
@400000005bcc30422feee59c 22364 (init) peers: Loading resolvable_fromhost from /usr/share/qpsmtpd/plugins/resolvable_fromhost
@400000005bcc30422fef00f4 22364 (init) peers: Loading headers from /usr/share/qpsmtpd/plugins/headers
@400000005bcc30422fef00f4 22364 (init) peers: Loading loadcheck max_load 7 from /usr/share/qpsmtpd/plugins/loadcheck
@400000005bcc30422fef04dc 22364 (init) peers: Loading sender_permitted_from reject 1 no_dmarc_policy 0 from /usr/share/qpsmtpd/plugins/sender_permitted_from
@400000005bcc30422fef08c4 22364 (init) peers: Loading dkim reject 0 from /usr/share/qpsmtpd/plugins/dkim
@400000005bcc30422fef435c 22364 (init) peers: Loading dmarc reject 0 reporting 1 from /usr/share/qpsmtpd/plugins/dmarc
@400000005bcc30422fef4744 22364 (init) peers: Loading naughty reject mail from /usr/share/qpsmtpd/plugins/naughty
@400000005bcc30422fef4b2c 22364 (init) peers: Loading badmailfrom from /usr/share/qpsmtpd/plugins/badmailfrom
@400000005bcc30422fef629c 22364 (init) peers: Loading badrcptto more_badrcptto badrcptto_ext from /usr/share/qpsmtpd/plugins/badrcptto
@400000005bcc30422fef6684 22364 (init) peers: Loading check_goodrcptto extn - from /usr/share/qpsmtpd/plugins/check_goodrcptto
@400000005bcc30422fef6a6c 22364 (init) peers: Loading rcpt_ok from /usr/share/qpsmtpd/plugins/rcpt_ok
@400000005bcc30422fef6a6c 22364 (init) peers: Loading tnef2mime from /usr/share/qpsmtpd/plugins/tnef2mime
@400000005bcc30422fef7a0c 22364 (init) peers: Loading queue/qmail-queue from /usr/share/qpsmtpd/plugins/queue/qmail-queue
@400000005bcc30422fef7df4 22364 peers hooking valid_auth
@400000005bcc30422fef7df4 22364 peers hooking set_hooks
@400000005bcc30422fef81dc 22364 in config(plugin_dirs)
@400000005bcc30422fef81dc 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422fef81dc 22364 in config(tls_ciphers)
@400000005bcc30422fef8d94 22364 config(tls_ciphers): hook returned (0,)
@400000005bcc30422fef917c 22364 in config(tls_protocols)
@400000005bcc30422fef917c 22364 config(tls_protocols): hook returned (0,)
@400000005bcc30422fef9564 22364 tls: ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
@400000005bcc30422fef9564 22364 tls hooking connect
@400000005bcc30422fef9564 22364 tls hooking ehlo
@400000005bcc30422fef994c 22364 tls hooking helo
@400000005bcc30422fef994c 22364 tls hooking rcpt
@400000005bcc30422fefa504 22364 tls hooking mail
@400000005bcc30422fefa504 22364 tls hooking data
@400000005bcc30422fefa8ec 22364 tls hooking post-connection
@400000005bcc30422fefc05c 22364 tls hooking unrecognized_command
@400000005bcc30422fefc05c 22364 (set_hooks) running plugin: peers
@400000005bcc30422fefc444 22364 in config(peers/0)
@400000005bcc30422fefc444 22364 config(peers/0): hook returned (0,)
@400000005bcc30422fefc444 22364 in config(plugin_dirs)
@400000005bcc30422fefc82c 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422fefc82c 22364 in config(peers/0)
@400000005bcc30422fefc82c 22364 config(peers/0): hook returned (0,)
@400000005bcc30422fefd7cc 22364 in config(plugin_dirs)
@400000005bcc30422fefd7cc 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422fefdbb4 22364 peers hooking valid_auth
@400000005bcc30422fefdbb4 22364 peers hooking set_hooks
@400000005bcc30422fefdbb4 22364 in config(plugin_dirs)
@400000005bcc30422fefdf9c 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422fefdf9c 22364 logging::logterse hooking queue
@400000005bcc30422fefdf9c 22364 logging::logterse hooking deny
@400000005bcc30422fefef3c 22364 in config(plugin_dirs)
@400000005bcc30422fefef3c 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422fefef3c 22364 in config(tls_ciphers)
@400000005bcc30422feff324 22364 config(tls_ciphers): hook returned (0,)
@400000005bcc30422feff324 22364 in config(tls_protocols)
@400000005bcc30422feff324 22364 config(tls_protocols): hook returned (0,)
@400000005bcc30422feff70c 22364 tls: ciphers: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
@400000005bcc30422ff002c4 22364 tls hooking connect
@400000005bcc30422ff006ac 22364 tls hooking ehlo
@400000005bcc30422ff006ac 22364 tls hooking helo
@400000005bcc30422ff006ac 22364 tls hooking rcpt
@400000005bcc30422ff00a94 22364 tls hooking mail
@400000005bcc30422ff00a94 22364 tls hooking data
@400000005bcc30422ff02204 22364 tls hooking post-connection
@400000005bcc30422ff02204 22364 tls hooking unrecognized_command
@400000005bcc30422ff02204 22364 in config(plugin_dirs)
@400000005bcc30422ff025ec 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff025ec 22364 auth::auth_cvm_unix_local hooking auth-plain
@400000005bcc30422ff025ec 22364 auth::auth_cvm_unix_local hooking auth-login
@400000005bcc30422ff029d4 22364 in config(plugin_dirs)
@400000005bcc30422ff029d4 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff04cfc 22364 earlytalker hooking connect
@400000005bcc30422ff04cfc 22364 earlytalker hooking data
@400000005bcc30422ff050e4 22364 in config(plugin_dirs)
@400000005bcc30422ff050e4 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff050e4 22364 bogus_bounce hooking data_post
@400000005bcc30422ff054cc 22364 in config(plugin_dirs)
@400000005bcc30422ff054cc 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff054cc 22364 count_unrecognized_commands hooking unrecognized_command
@400000005bcc30422ff0646c 22364 in config(plugin_dirs)
@400000005bcc30422ff0646c 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff06854 22364 relay hooking connect
@400000005bcc30422ff06854 22364 in config(plugin_dirs)
@400000005bcc30422ff06854 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff06c3c 22364 helo hooking helo
@400000005bcc30422ff06c3c 22364 helo hooking ehlo
@400000005bcc30422ff06c3c 22364 helo hooking data_post
@400000005bcc30422ff077f4 22364 in config(plugin_dirs)
@400000005bcc30422ff07bdc 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff07bdc 22364 resolvable_fromhost hooking mail
@400000005bcc30422ff07bdc 22364 in config(plugin_dirs)
@400000005bcc30422ff09b1c 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff09b1c 22364 headers hooking data_post
@400000005bcc30422ff09b1c 22364 in config(plugin_dirs)
@400000005bcc30422ff09f04 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff09f04 22364 loadcheck hooking connect
@400000005bcc30422ff09f04 22364 in config(plugin_dirs)
@400000005bcc30422ff0a2ec 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30422ff0a2ec 22364 sender_permitted_from hooking mail
@400000005bcc30422ff0b28c 22364 sender_permitted_from hooking data_post_headers
@400000005bcc30422ff0b28c 22364 in config(plugin_dirs)
@400000005bcc30422ff0b674 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc304230afef94 22364 dkim hooking data_post_headers
@400000005bcc304230b08404 22364 in config(plugin_dirs)
@400000005bcc304230b0e1c4 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc304237004ca4 22364 dmarc hooking data_post_headers
@400000005bcc30430085fad4 22364 dmarc hooking data_post
@400000005bcc30430085febc 22364 in config(plugin_dirs)
@400000005bcc30430085febc 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc3043008602a4 22364 naughty hooking data_post
@400000005bcc3043008602a4 22364 naughty: registering hook mail
@400000005bcc3043008602a4 22364 naughty hooking mail
@400000005bcc30430086068c 22364 in config(plugin_dirs)
@400000005bcc30430086068c 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc304300860a74 22364 badmailfrom hooking mail
@400000005bcc304300863954 22364 in config(plugin_dirs)
@400000005bcc304300863954 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc304300863954 22364 badrcptto hooking rcpt
@400000005bcc304300863d3c 22364 in config(plugin_dirs)
@400000005bcc304300863d3c 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc304300863d3c 22364 check_goodrcptto hooking rcpt
@400000005bcc304300864124 22364 in config(plugin_dirs)
@400000005bcc304300864124 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc304300865c7c 22364 rcpt_ok hooking rcpt
@400000005bcc304300866064 22364 in config(plugin_dirs)
@400000005bcc304300866064 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc304300866064 22364 tnef2mime hooking data_post
@400000005bcc30430086644c 22364 in config(plugin_dirs)
@400000005bcc30430086644c 22364 config(plugin_dirs): hook returned (0,)
@400000005bcc30430086644c 22364 queue::qmail_2dqueue hooking queue
@400000005bcc304300866834 22364 Plugin peers, hook set_hooks returned DECLINED,
@400000005bcc30430086dd64 22364 (connect) running plugin: tls
@400000005bcc307f22d6bd44 22364 (connect) tls: fail, unable to establish SSL
@400000005bcc307f22d7ea0c 22364 Plugin tls, hook connect returned DENYHARD, Cannot establish SSL session
@400000005bcc307f22d9ab44 22364 (deny) logging::logterse: ` 49.72.92.97 Unknown tls 903 Cannot establish SSL session msg denied before queued
@400000005bcc307f22daf74c 22364 550 Cannot establish SSL session
@400000005bcc307f22db938c 22364 click, disconnecting
@400000005bcc307f22dd21fc 22364 (post-connection) running plugin: tls
@400000005bcc307f22de1814 22364 Plugin tls, hook post-connection returned DECLINED,
@400000005bcc307f22f5e5d4 22364 DESTROY called by main, /usr/bin/qpsmtpd-forkserver, 0
@400000005bcc3080155ffe14 20626 cleaning up after 22364
Thanks for the help everyone

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #23 on: October 21, 2018, 04:24:45 PM »
There is a 60 second delay imposed by the tls plugin that is probably holding the connection open:
Code: [Select]
echo '@400000005bcc30430086dd64 22364 (connect) running plugin: tls
@400000005bcc307f22d6bd44 22364 (connect) tls: fail, unable to establish SSL
@400000005bcc307f22d7ea0c 22364 Plugin tls, hook connect returned DENYHARD, Cannot establish SSL session
@400000005bcc307f22d9ab44 22364 (deny) logging::logterse: ` 49.72.92.97 Unknown tls 903 Cannot establish SSL session msg denied before queued
@400000005bcc307f22daf74c 22364 550 Cannot establish SSL session' |tai64nlocal
Quote
2018-10-21 03:52:25.008838500 22364 (connect) running plugin: tls
2018-10-21 03:53:25.584498500 22364 (connect) tls: fail, unable to establish SSL
2018-10-21 03:53:25.584575500 22364 Plugin tls, hook connect returned DENYHARD, Cannot establish SSL session
2018-10-21 03:53:25.584690500 22364 (deny) logging::logterse: ` 49.72.92.97Unknowntls903Cannot establish SSL sessionmsg denied before queued
2018-10-21 03:53:25.584775500 22364 550 Cannot establish SSL session

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #24 on: October 21, 2018, 04:50:31 PM »
The IP in your log extract is listed on multiple dnsbl services:
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a186.225.32.26&run=toolpage#

But you don't seem to have dnsbl enabled (from looking at your log extract).

I suggest that you enable dnsbl using at least the spamhaus zen and barracuda blocklists
Code: [Select]
# get the current blocklist for reference
config getprop qpsmtpd RBLList

# set the blocklist to use spamhaus zen and barracuda (use single quotes to avoid problems)
config setprop qpsmtpd RBLList 'zen.spamhaus.org,b.barracudacentral.org:Blocked - see http://bbl.barracudacentral.com/q.cgi?ip=%IP%'

# enable RBL
config setprop qpsmtpd DNSBL enabled

# activate the new config
signal-event email-update

This may not help, since even IP addresses on blocklists are allowed to attempt authentication so that remote users could still send email if they get stuck on a bad network... but it's a start.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #25 on: October 21, 2018, 04:57:22 PM »
There is a 60 second delay imposed by the tls plugin that is probably holding the connection open:

Just curious where that is set ?

I can see two templates for timeout and timeoutsmtpd

[root@esmith config]# cat timeout
{
    my $timeout = $qpsmtpd{timeout} || 120;
    $OUT = "$timeout";
}


[root@esmith config]# cat timeoutsmtpd
{
    my $timeout = $qpsmtpd{timeoutsmtpd} || 120;
    $OUT = "$timeout";
}

(just trying to get my head round it all before logging as bug!)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #26 on: October 21, 2018, 05:03:12 PM »
Hmmm... unless you've customized your timeouts, the 60 second TLS timeout can't be the same as the default 120 second qpsmtpd timeout.

I couldn't find any indication that there is any place where you can change the TLS timeout -- so I started looking for other ways to block these connections.

In addition to enabling DNSBL you may want to look into the GeoIP contrib -- although you should read the wiki and bug thoroughly before trying:
https://wiki.contribs.org/GeoIP
Bug 9033

[edit]
spelling, add url to geoip bug
« Last Edit: October 21, 2018, 05:04:52 PM by mmccarn »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #27 on: October 21, 2018, 05:17:11 PM »
Those are default and that's what's set on mine.

No idea what the Tomeratch has set.

You can see them in /var/service/qpsmtpd/config
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline tomeratch

  • *
  • 24
  • +0/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #28 on: October 21, 2018, 05:36:31 PM »
Thanx for the help
I do not use RBL for I have a separate mailrelay system to deal with that.
and as you figured that does not block incoming smtp connections to the server .

my timeouts is also set to defaults :qpsmtpd=120

for now after blocking the addresses all seems to be good until they figure out that i blocked only some subnets only :(



Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9.2 smtp problem (qpsmtpd)
« Reply #29 on: October 22, 2018, 03:07:07 PM »
OK, as this is for qpsmptd vs my thread on sqpsmptd I am trying to keep things a bit separate even though they exhibit a similar thread of SSL/TLS timeouts on connections.

I have posted a bug on this, and followed it with a short addition to this thread:

https://forums.contribs.org/index.php/topic,53769.msg279943.html#msg279943

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation