Article 9503 at 07/04/10 17:07:33 From: marcelo.caparroz (at mark) gmail.com Subject: [coba-e:09503] Re: Dovecot/POP3 Flood

Index: [Article Count Order] [Thread]
Date:  Tue, 10 Apr 2007 10:07:26 +0200
From:  "Marcelo Caparroz" <marcelo.caparroz (at mark) gmail.com>
Subject:  [coba-e:09503] Re: Dovecot/POP3 Flood
To:  coba-e (at mark) bluequartz.org
Message-Id:  <b0dc50f60704100107m6bbe77bfhfeb99b5fcb23e1f2 (at mark) mail.gmail.com>
In-Reply-To:  <000601c77af6$3a295800$ae7c0800$@net>
References:  <001601c76299$d8edf420$8ac9dc60$ (at mark) net>	 <7853B509BA765D40B8DACAEA2F64B2A4720CE6 (at mark) es005.gramtel.office>	 <000601c77af6$3a295800$ae7c0800$ (at mark) net>
X-Mail-Count: 09503

I was wondering..... when this issue on pwdb will be fixed. It�s reallyimportant.I have about 200 domains in a server and the dovecot have to be stopped andstarted about 40 times in a day. It�s too much.If anybody has a clue about this problem with pwdb, please tell me.Tks!2007/4/10, Darrell D. Mobley <dmobley (at mark) uhostme.net>:>> Rusty,>> I just wanted to let you know that while this is an old message I am> responding to, your suggestions worked perfectly today.  I stopped gettin=g> email and checked the maillog to see this:>> Apr  9 18:08:23 www dovecot: auth(default): PAM: Child 18945 died with> signal 9> Apr  9 18:08:25 www dovecot: pop3-login: Disconnected: user=<support>,> method=PLAIN, rip=66.177.202.188, lip=216.130.248.50> Apr  9 18:09:33 www dovecot: auth(default): pam(dmobley,66.177.202.188):> PAM> child process 18964 timed out, killing it> Apr  9 18:09:33 www dovecot: auth(default): pam(dmobley,66.177.202.188):> Child process died> Apr  9 18:09:33 www dovecot: auth(default): PAM: Child 18964 died with> signal 9> Apr  9 18:09:35 www dovecot: pop3-login: Disconnected: user=<dmobley>,> method=PLAIN, rip=66.177.202.188, lip=216.130.248.50> Apr  9 18:10:53 www dovecot: auth(default): pam(site4,66.177.202.188): PA=M> child process 18986 timed out, killing it> Apr  9 18:10:53 www dovecot: auth(default): pam(site4,66.177.202.188):> Child> process died> Apr  9 18:10:53 www dovecot: auth(default): PAM: Child 18986 died with> signal 9> Apr  9 18:10:55 www dovecot: pop3-login: Disconnected: user=<site4>,> method=PLAIN, rip=66.177.202.188, lip=216.130.248.50> Apr  9 18:12:13 www dovecot: auth(default): pam(dmobley,66.177.202.188):> PAM> child process 19006 timed out, killing it> Apr  9 18:12:13 www dovecot: auth(default): pam(dmobley,66.177.202.188):> Child process died> Apr  9 18:12:13 www dovecot: auth(default): PAM: Child 19006 died with> signal 9>> There were numerous pop3login processes started by dovecot, so I stopped> dovecot, admserv, xinetd, killed the left over dovecot-auth processes,> then> manually ran dbrecover, which took very little time.  I restarted the> processes and mail started flowing again immediately.>> Thanks for the recommendation.>> > -----Original Message-----> > From: Rusty Waybrant [mailto:RWaybrant (at mark) gramtel.net]> > Sent: Monday, March 12, 2007 10:46 AM> > To: coba-e (at mark) bluequartz.org> > Subject: [coba-e:09100] Re: Dovecot/POP3 Flood> >> > After a reboot, the server would run "dbrecover" on start, which checks> > the consistency of pwdb (password database that is used for all users> > except for 'admin' and 'root').> >> > You can manually run:> > /etc/rc.d/init.d/dbrecover start> >> >> > I've noticed if there is an issue with pwdb, it is usually not failing> > authentication (drop the thick-client for troubleshooting and use> > 'telnet <server> pop3') but extremely slow authentication (30-60+> > seconds, which is the reason for the errors).> >> > I've also noticed on high-traffic POP3 servers, you may this similar> > issue as dictionary-attacks.> >> > You will want to stop dovecot (or any service that might affected by> > this, like xinetd [ftp] or admserv [httpd.admsrv]). Then kill any> > processes that might be hung (usually 'dovecot-auth'). Then run> > dbrecover, which may take a minute or two to run. Finally restart any> > service you stopped. This usually fixes the issue without the need of a> > reboot...> >> >> > Rusty> >> >> >> > ________________________________> >> > From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.net]> > Sent: Friday, March 09, 2007 5:26 PM> > To: coba-e (at mark) bluequartz.org> > Subject: [coba-e:09068] Dovecot/POP3 Flood> >> >> >> > I started getting POP3 authentication errors on my server today, so I> > logged on and tailed the maillog to see a POP3 flood using a dictionary> > attack.  I blocked the offending source IP address in iptables, then> > stopped dovecot to allow the server load to subside and then restarted> > it.  It restarted normally, but I couldn't connect from my mail client> > via POP3, the authentication continued to fail.  I ended up stopping an=d> > restarting sendmail and saslauthd, thinking perhaps those needed> > restarting.  No joy.  I tried stopping and restarting all the mail> > server services in the GUI.  Still no joy.  I ended up rebooting the> > server and everything came back up fine.> >> >> >> > What sequence should I have used to stop and restart the mail services> > correctly to avoid the reboot?>>>>
	9503_2.html (attatchment)(tag is disabled)