pre-queue warning message for the first time

Tue, 13 Jan 2009 08:26:23 -0800 

I received the following error for the first time yesterday in my logwatch
report.  It was in the Postfix section.

1   *Warning: Pre-queue content-filter connection overload
----------------------------------
        1      After CONNECT
        1         unknown          unknown


I have read over the page on before queue content filter.  If I
understand it correctly my specific access controls, rbls and such are
part of the pre-queue process.  It that correct?  Could the warning be
due to a excessive amount of time talking to an rbl or to many
connections at one point in time? If it is too many connections from a
single source, the paranoid side of my mind says DOS attack or
abnormal volume of spam.  Given that it is showing as unknown
(logwatch did not show the ip and I am not finding the error in
mail.log or mail.warn), I do not even know who to block at the
firewall.

Below is copy of the smtpd_recipient_restrictions if someone asks.

smtpd_recipient_restrictions = permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        check_client_access cidr:/etc/postfix/client.cidr
        check_client_access hash:/etc/postfix/blacklist
        check_helo_access hash:/etc/postfix/helo_checks,
        reject_rbl_client ru.countries.nerd.dk,
        reject_rbl_client tm.countries.nerd.dk,
        reject_rbl_client cn.countries.nerd.dk,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client korea.services.net,
        reject_rbl_client bhnc.njabl.org,
        reject_rbl_client combined.njabl.org,
        check_policy_service inet:127.0.0.1:60000


I did notice a higher than normal amount of mail for my server
yesterday including a much higher than normal attempt to relay through
us.  I am trying to use rbls with Postfix before my other spam
filtering since I can decline the connect instead of Postfix digesting
it and passing it on.  It should decrease the overall system load if I
do not have to receive the email content.


The overall question is: Is this too much filtering or a possible DOS
attack?  This has never happened before so I do not suspect hardware
problems, just too much of something talking to us.


-- 
TIA

Guy

Reply via email to