1 Topic by laurent.bardi

  • laurent.bardi
  • Member
  • Offline
  • Registered: 2021-10-04
  • Posts: 11

Topic: postscreen 100% CPU, can send received in local not received external

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.2 OPENLDAP edition.
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: debian 11.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap
- Web server (Apache or Nginx): apache
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Since 2 days we cant received external mails anymore. I ve postscreen aabout 100%CPU.

I ve disabled in main.cf :

# Recipient restrictions
smtpd_recipient_restrictions =
    reject_non_fqdn_recipient
    reject_unlisted_recipient
#    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
#    check_policy_service inet:127.0.0.1:12340

# END-OF-MESSAGE restrictions
#smtpd_end_of_data_restrictions =
#    check_policy_service inet:127.0.0.1:7777

postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org=127.0.0.2*2
#    bl.spamcop.net*1

in master.cf :
#smtp      inet  n       -       y       -       1       smtpd
smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd

when i do a reload a bunch of mail get in, then i got a lot of
-postfix/master[3248]: warning: process /usr/lib/postfix/sbin/postscreen pid 23721 exit status 1
-postfix/postscreen[24234]: fatal: watchdog timeout
and after
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [168.245.6.113]:5214 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [45.81.225.169]:41268 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [217.182.63.37]:57003 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [149.7.101.107]:40180 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [51.210.94.139]:59739 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [10.59.64.107]:48448 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [10.59.64.107]:48458 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [10.59.64.107]:48470 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [10.59.64.107]:48472 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [10.59.64.107]:48488 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [91.199.29.177]:44851 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [91.199.29.114]:44853 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [52.102.174.5]:53919 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [144.217.215.86]:39411 to [10.59.64.20]:25
Mar 13 17:47:01 vm-deb64-20 postfix/postscreen[30189]: CONNECT from [144.217.215.202]:59840 to [10.59.64.20]:25

nothing get in ????

I ve made no modifications, so i m lost !

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 826

Re: postscreen 100% CPU, can send received in local not received external

what are the specs? it seems it can't handle the amount of mails

3 Reply by laurent.bardi

  • laurent.bardi
  • Member
  • Offline
  • Registered: 2021-10-04
  • Posts: 11

Re: postscreen 100% CPU, can send received in local not received external

Hello,
I'm answering myself, in fact I'm under attack :-(
and my main firewall is doing a poor job

Hence the following question:
- during my iredmail installation I didn't activate the firewall (Would you like to use firewall rules provided by iRedMail?)
Is it possible to reactivate it now? If so, how?


-I get a lot of messages like :
warning: unknown[60.214.209.221]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=xxxxx@xxxx.com
->UGFzc3dvcmQ6 it's Password in base64, wouldn't it be possible to filter this with the local Firewall (drop)? Maybe even couple fail2ban with the local firewall to drop the addresses altogether?

Many thanks for your responses

4 Reply by Cthulhu (edited by Cthulhu 2024-03-20 21:00:17)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 826

Re: postscreen 100% CPU, can send received in local not received external

oof, when you didn't activate the firewall, is fail2ban even working?
not haveing a firewall activated on an always-on internetserver is like a "fuck me over"-Flag

you can use the installer, it checks for the config files and should be able to install the neccesary stuff for you

most of theese attacks are aswell brute-force which try out combinations of username/password