Hi,
I have a postfix-2.8.10 server on fc15 that is having a problem with
slow connections to port 25 before receiving the initial 220 greeting.
I actually had a similar problem back in February on this same system,
and implementing postscreen seemed to have resolved it.
If I run "telnet localhost 25" immediately after starting postfix, it
works fine. After a minute or so, however, there is a lengthy delay
before receiving the 220 greeting. This really seems to be a
connection or utilization issue.
I thought there was a possibility it was a problem with the bind
configuration on the system, but I've tried using a name server on the
local network and it's still an extensive delay. I really don't think
it's a name server problem.
In spite of having postscreen configured, I tried increasing process
limit to 300 and it makes no difference. I've also read through the
stress README and I believe I've implemented all of the relevant
suggestions. I don't have this smtpd line in my master.cf, however:
smtp inet n - n - 200 smtpd
Is this because I've configured amavisd with this system?
I also noticed the venerable "Possible SYN flooding on port 25.
Sending cookies." kernel message today. Could this be related? Too
many new connections in a very short period...
There are also a lot of the following:
Nov 19 20:39:03 mail01 postfix/smtpd[19820]: lost connection after
CONNECT from listserver.translateplanmulti.info[198.41.120.7]
Are these related to postscreen?
There are times when the server has thousands of queued messages, and
as many as 80 or more DNS queries per second to the local caching
nameserver, but it also happens under much smaller loads. The server
is a Xeon E5345 with 8 cores and 8GB RAM that isn't even all used, and
4 1GB disks in a RAID5. It also appears to peak at processing about 60
msgs/min, but the average is closer to 20. I only noticed this today
due to a nagios alert, although I haven't done anything to the system
today that would have related to this.
There are probably other areas in which my configuration below that
could be improved, so any ideas greatly appreciated.
mail_version = 2.8.10
hostname = mail01.example.com
uname = Linux mail01.example.com 2.6.43.8-1.fc15.x86_64 #1 SMP Mon Jun
4 20:33:44 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
--Packaging information--
looks like this postfix comes from RPM package: postfix-2.8.10-1.fc15.x86_64
--main.cf non-default parameters--
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_mail_to_files = alias,forward
always_bcc = bcc-user
biff = no
body_checks = regexp:/etc/postfix/body_checks.pcre
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_list = 64.XX.YY.0/24
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks =
pcre:/etc/postfix/header_checks.pcre
pcre:/etc/postfix/header_checks-jimsun.pcre
initial_destination_concurrency = 20
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 200000000
manpage_directory = /usr/share/man
maximal_queue_lifetime = 2d
message_size_limit = 13312000
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = $myhostname, localhost.$mydomain
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 192.168.6.0/24,
68.XXX.YYY.40/29, 64.XX.YY.0/27
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2 bl.spamcop.net*1
b.barracudacentral.org*1 psbl.surriel.com*1
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
readme_directory = /usr/share/doc/postfix-2.8.10/README_FILES
relay_domains = $mydestination, $transport_maps, example.com,
cs.example.com, dom1.example.com, example.com
sample_directory = /usr/share/doc/postfix-2.8.10/samples
smtpd_client_connection_count_limit = 2
smtpd_recipient_restrictions =
reject_non_fqdn_recipient, check_client_access
hash:/etc/postfix/client_checks_special, check_sender_access
hash:/etc/postfix/sender_checks_special, reject_non_fqdn_sender,
reject_unlisted_recipient, permit_mynetworks,
reject_unauth_destination, reject_unknown_sender_domain,
reject_unknown_recipient_domain, check_helo_access
pcre:/etc/postfix/helo_checks.pcre, reject_invalid_helo_hostname,
check_client_access
hash:/etc/postfix/client_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_recipient_access
pcre:/etc/postfix/relay_recips_segtravel, check_recipient_access
pcre:/etc/postfix/relay_recips_access, check_recipient_access
pcre:/etc/postfix/property_recip_map, check_recipient_access
pcre:/etc/postfix/recipient_checks, check_recipient_access
pcre:/etc/postfix/relay_recip_checks, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname, mail01.example.com
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtp_tls_CAfile = /etc/pki/tls/cacert.pem
smtp_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual,
hash:/etc/postfix/virtual-segtravel
--master.cf--
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup fifo n - n 60 1 pickup
-o content_filter=
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
smtp-amavis unix - - n - - smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=40
127.0.0.1:10025 inet n - n - 12 smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
bwi unix - - n - - smtp
-o fallback_relay=[206.XXX.YYY.20]
csbwi unix - - n - - smtp
-o fallback_relay=[206.XXX.YYY.20]
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
-o receive_override_options=no_address_mappings
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
-- end of postfinger output --
