Zitat von Wietse Venema <[email protected]>:
Wietse Venema:[email protected]: > Zitat von Wietse Venema <[email protected]>: > > > [email protected]:> >> With both changes it looks ok now (first blacklisted, second whitelisted):> >> > >> > >> Jan 17 16:28:23 hpux2 postfix/master[28899]: daemon started -- version > >> 2.8.0-RC1, configuration /etc/postfix > >> Jan 17 16:28:33 hpux2 postfix/postscreen[28903]: CONNECT from > >> [10.1.70.1]:48111 > >> Jan 17 16:28:33 hpux2 postfix/postscreen[28903]: entering STRESS mode > >> with 1 connections > >> Jan 17 16:28:33 hpux2 postfix/postscreen[28903]: BLACKLISTED > >> [10.1.70.1]:48111> >> Jan 17 16:28:33 hpux2 postfix/postscreen[28903]: PASS OLD [10.1.70.1]:48111> >> Jan 17 16:28:33 hpux2 postfix/postscreen[28903]: leaving STRESS mode > >> with 0 connections > > > > Do you have a low postscreen_pre_queue_limit limit? It should > > normally enter stress mode with more than 1 connection. > > > > Wietse > > Not that i'm aware of. This is a test-only install, so the values are > at default beside the parameters needed to get postscreen working, so > it should be at $default_process_limit which is reported by postconf > with "100". In that case, would you briefly run it as "postscreen -v" and report the postscreen_command_time_limit logging as it starts up. ] This is what I expect to see (default_process_limit = 100):Jan 17 11:32:56 tail postfix/postscreen[17566]: postscreen_command_time_limit: stress=10 normal=300 lowat=70 hiwat=90hiwat=90 means enter stress mode with 90 or more connections lowat=70 means leave stress mode with 70 or fewer connections. You don't want to leave verbose mode on because it slows down postscreen which handles by all SMTP connections.If this is what I suspect, then the HP-UX linker does not distinguish between psc_check_queue_length_hiwat and psc_check_queue_length_lowat. Both names are 28 characters, which is within the ANSI C limit for internal symbol significance, but above the guaranteed 6-character limit for external symbol significance. These two variables are initialized in the postscreen.c module, but the "entering/leaving STRESS" checks are done in the postscreen_state.c module. If the linker truncates the names, then postscreen_state.c will access a variable with a shorter name that may be left at zero. In detail, psc_new_session_state() checks the high-water mark (and logs "entering STRESS mode with 1 connections") while and psc_free_session_state() checks the low-water mark (and logs "leaving STRESS mode with 0 connections"). This confirms that they both test a variable that is left at zero instead of the long-name variables that are initialized at 70 and 90, respectively. Try adding to postscreen.h two lines at the top with: #define psc_check_queue_length_hiwat psc_hiwat #define psc_check_queue_length_lowat psc_lowat
Sounds like ugly mess. I will also try to use gcc instead and report the findings.
Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
