[Tfug] tfug Digest, Vol 47, Issue 13

kelley g services at toasterz.com
Sat Jun 9 14:39:29 MST 2007 

>Hi Kelley,
>
>We want to stop these messages getting into the send queue. Right now they
>appear to overwhelm qmail after a while and it exits. I'll look into the
>double bounce possibility. Also I think we will try running tcpdump on port
>25.
>We don't appear to have logs of the delivered mail.

Andy

unmodified qmail follows the smtp protocol specs regarding mail acceptance - it accepts every mail incoming mail. this does not mean it will relay or deliver these messages. tcpserver is designed to impliment tcp connection acl's well before a messasge gets to the queue at a low cost. additionally, qmail queue replacements allow qmail to get rid of and tag incoming mail according to whatever features you want to impliment.

qmail shouldn't exit under low resource conditions, it degrades gracefully. it's more likely that it's the perl processes associated with qmail-scanner causing mail delivery problems. you should be using daemontools to keep your processes alive. maybe your box is getting brought down by spamassassin/clamd loads? without knowing more about your setup i can't help you. maybe you need a dedicated virus scanning spam tagging box?

if you're using dns blacklists, make sure your list of sites is up to date. you will create havoc with your networking if your blacklist lookups are timing out cause a site is unavailable.

as far as keeping messages from the originating server off the queue, that's easy; 'tcp.smtp' is your friend.
if you're using vpopmail, it's probably in '/home/vpopmail/etc/'

add an explicit deny line for the server annoying your queue.
'202.99.204.66:deny'

run 'qmailctl cdb' to rebuild the cdb hash. if you don't have the qmailctl script, maybe 'service qmail cdb'
or rtfm for rebuilding the cdb file.

also, simscan is a much more scalable queue replacement than qmail-scanner, (C vs perl). i replaced it on my mailservers years ago and never looked back. here's a good place to start if you want to update your mail software. be careful if you're using a mysql-vpopmail setup. database schemas can change if you're running a really old box.

http://shupp.org/toaster/

also if you're running bind dns on the box(es), you may want to consider djbdns as a replacement. djbdns has a much lighter footprint and no pesky memory, cache poisoning or stability issues. http://cr.yp.to/djbdns.html

fyi, if you're running a mailserver without logs for performance reasons, you really shouldn't. look into a dedicated logging box. it needn't be powerful, just simple and secure. (trustix) all your various servers would like to offload their logging. if you get a nasty windows worm, you may need to do some forensics using the logs. you should know how to turn them on, etc. in the event of a root compromise, you can possibly look to see what happened on a box on which the cracker cannot cover their tracks.

qmail's not that hard to administer, but unique in it's config compared to sendmail or postfix. once you get the concepts down, any other mail server seems deeply inflexible. :) but then, i'm a developer and like to have my fingers on all the buttons.

enjoy!

-- 

kelley g
520.770.1200
ooooooooooooooooooooooooooooo
http://toasterz.com
open minds - open source
ooooooooooooooooooooooooooooo

More information about the tfug mailing list