SMTP Server consumes 100% CPU and refuses new connections

Issue #276 closed
yannikh created an issue

Recently I had multiple times the problem that the SMTP Server would not accept any new connections. Checking the server I noticed the the Server consumes 100% CPU:

mailserver.png

Note that only SMTP is affected. All other services continue to work fine.

Since I see 15 processes here, I guess that the limit of 15 paralell transactions is reached. However they all seem to come from a single ip address (in china) which is probably a malicious client.

I can't figure though what the server is actually doing. If I grep qmail log/messages I see there is nothing unusual - except that there was absolutely no log output for the last 10 hours (where I suppose the SMTP-Server was unavailable).

The last log-file in log/qpsmtpd/2018-04-04 says:

2018-04-04 21:20:12 [karma] - fail, tolerated
2018-04-04 21:20:13 [tls] - pass, connect via SMTPS
2018-04-04 21:20:14 [earlytalker] - pass, not spontaneous
2018-04-04 21:20:14 [relay] - skip, no match
2018-04-04 21:20:14 - 220 MY_SERVER_ADDRESS ESMTP
2018-04-04 21:20:15 - dispatching EHLO ADMIN
2018-04-04 21:20:15 [helo] - karma -1 (-1)
2018-04-04 21:20:15 [helo] - fail, tolerated, not FQDN
2018-04-04 21:20:15 - 250-mail.MY_SERVER_ADDRESS Hi Unknown [210.72.142.7]
2018-04-04 21:20:15 - 250-PIPELINING
2018-04-04 21:20:15 - 250-8BITMIME
2018-04-04 21:20:15 - 250 AUTH LOGIN PLAIN
2018-04-04 21:20:15 - dispatching AUTH LOGIN
2018-04-04 21:20:15 - 334 VXNlcm5hbWU6
2018-04-04 21:20:15 - 334 UGFzc3dvcmQ6

(Server address replaced in the log).

So what is it doing? Is it trying passwords? I think it should not be that easy to lock down a mailserver. What can I do? Is there some log-file I missed that logs failed authentication (so I can use it with fail2ban?) This problem basically renders my mailserver useless.

Comments (3)

  1. yannikh reporter

    @S H: Did you change anything? If yes: what was the problem? If no: I updated right before submitting this issue, so it should have been the most recent version at that point...

  2. SH repo owner

    We changed qpsmtpd for Haraka. See https://poste.io/changelog

    It is known attack vector of old setup - attacker exhaust connection forks with login testing - not easy to fix generaly without major rewrite. v. 2+ use Haraka which handles connections async way which is much cheaper and also there is automatic blocking of naughty clients.

  3. Log in to comment