For all of its problems, at least the old system worked. Can�$BCU�(B say =thatmuch for dovecot. From: Marcelo Caparroz [mailto:marcelo.caparroz (at mark) gmail.com] Sent: Tuesday, April 10, 2007 4:07 AMTo: coba-e (at mark) bluequartz.orgSubject: [coba-e:09503] Re: Dovecot/POP3 Flood I was wondering..... when this issue on pwdb will be fixed. Itīs =reallyimportant.I have about 200 domains in a server and the dovecot have to be stopped =andstarted about 40 times in a day. Itīs too much.If anybody has a clue about this problem with pwdb, please tell me. Tks!2007/4/10, Darrell D. Mobley <dmobley (at mark) uhostme.net>:Rusty,I just wanted to let you know that while this is an old message I amresponding to, your suggestions worked perfectly today. I stopped =gettingemail and checked the maillog to see this:Apr 9 18:08:23 www dovecot: auth(default): PAM: Child 18945 died with signal 9Apr 9 18:08:25 www dovecot: pop3-login: Disconnected: user=<support>,method=PLAIN, rip=66.177.202.188, lip=216.130.248.50Apr 9 18:09:33 www dovecot: auth(default): pam(dmobley,66.177.202.188): =PAMchild process 18964 timed out, killing itApr 9 18:09:33 www dovecot: auth(default): pam(dmobley, 66.177.202.188<http://66.177.202.188> ):Child process diedApr 9 18:09:33 www dovecot: auth(default): PAM: Child 18964 died withsignal 9Apr 9 18:09:35 www dovecot: pop3-login: Disconnected: user=<dmobley>,method=PLAIN, rip= 66.177.202.188, lip=216.130.248.50Apr 9 18:10:53 www dovecot: auth(default): pam(site4,66.177.202.188): =PAMchild process 18986 timed out, killing itApr 9 18:10:53 www dovecot: auth(default): pam(site4,66.177.202.188): =Childprocess diedApr 9 18:10:53 www dovecot: auth(default): PAM: Child 18986 died with signal 9Apr 9 18:10:55 www dovecot: pop3-login: Disconnected: user=<site4>,method=PLAIN, rip=66.177.202.188, lip=216.130.248.50Apr 9 18:12:13 www dovecot: auth(default): pam(dmobley,66.177.202.188): =PAMchild process 19006 timed out, killing itApr 9 18:12:13 www dovecot: auth(default): pam(dmobley, 66.177.202.188<http://66.177.202.188> ):Child process diedApr 9 18:12:13 www dovecot: auth(default): PAM: Child 19006 died withsignal 9There were numerous pop3login processes started by dovecot, so I stoppeddovecot, admserv, xinetd, killed the left over dovecot-auth processes, =then manually ran dbrecover, which took very little time. I restarted theprocesses and mail started flowing again immediately.Thanks for the recommendation.> -----Original Message-----> From: Rusty Waybrant [mailto: RWaybrant (at mark) gramtel.net]> Sent: Monday, March 12, 2007 10:46 AM> To: coba-e (at mark) bluequartz.org> Subject: [coba-e:09100] Re: Dovecot/POP3 Flood >> After a reboot, the server would run "dbrecover" on start, which =checks> the consistency of pwdb (password database that is used for all users> except for 'admin' and 'root'). >> You can manually run:> /etc/rc.d/init.d/dbrecover start>>> I've noticed if there is an issue with pwdb, it is usually not failing> authentication (drop the thick-client for troubleshooting and use > 'telnet <server> pop3') but extremely slow authentication (30-60+> seconds, which is the reason for the errors).>> I've also noticed on high-traffic POP3 servers, you may this similar > issue as dictionary-attacks.>> You will want to stop dovecot (or any service that might affected by> this, like xinetd [ftp] or admserv [httpd.admsrv]). Then kill any> processes that might be hung (usually 'dovecot-auth'). Then run > dbrecover, which may take a minute or two to run. Finally restart any> service you stopped. This usually fixes the issue without the need of =a> reboot...>>> Rusty>> >> ________________________________>> From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.net]> Sent: Friday, March 09, 2007 5:26 PM> To: coba-e (at mark) bluequartz.org> Subject: [coba-e:09068] Dovecot/POP3 Flood>>>> I started getting POP3 authentication errors on my server today, so I> logged on and tailed the maillog to see a POP3 flood using a =dictionary > attack. I blocked the offending source IP address in iptables, then> stopped dovecot to allow the server load to subside and then restarted> it. It restarted normally, but I couldn't connect from my mail client => via POP3, the authentication continued to fail. I ended up stopping =and> restarting sendmail and saslauthd, thinking perhaps those needed> restarting. No joy. I tried stopping and restarting all the mail > server services in the GUI. Still no joy. I ended up rebooting the> server and everything came back up fine.>>>> What sequence should I have used to stop and restart the mail services => correctly to avoid the reboot?
9510_2.html (attatchment)(tag is disabled)