Topic: [solved] High Load Average after last upgrade: qpsmtpd-forkser

[Jean-Philippe Pialasse]

well as pointed Charlie, the mail will never leave your server anyway, as the DNS  is

Code: [Select]

mail.p10361243119.s2599.jianzhanapp.com. 43200 IN A 127.0.0.2
somebody did manage to put this mail in you system,  and it keeps being sent and resent as 127.0.0.2 is localhost also
qpsmtpd pass it to qmail
qmail pass it to qpsmtpd
then qmail pass it to qpsmtpd
which pass it to qmail ....


try telnet 127.0.0.2 25 , you qpsmtd will answer

Code: [Select]

# telnet 127.0.0.2 25
Trying 127.0.0.2...
Connected to 127.0.0.2.
Escape character is '^]'.
220 me.moi.pialasse.com ESMTP
helo localhost
250 moi.pialasse.com Hi Unknown [127.0.0.2]; I am so happy to meet you.
quit
221 moi.pialasse.com closing connection. Have a wonderful day.
Connection closed by foreign host.

this look like a good way to attack a system sending hundred of mails this way ...

now what is the best way to stop this.... and also prevent this from happening

[CharlieBrady]

I´d love to see one of those messages.

With qmail stopped, you can find one in the qmail queue, using 'grep -r'.

How I can find out what is running as a service on 127.0.0.2 (if there any !)...

The issue is that qmail-remote is sending the message to qpsmtpd running on port 25, 127.0.0.2 (because qpsmtpd is listening to *). The problem is the message, and DNS, not any programs running on your server.

We could possibly solve the load issue by denying relaying on the 127.0.0.2 address. We could also have a plugin in qpsmtpd which looks for loopback addresses in the MX records of senders and recipients.

[Jáder]

I stopped qmail.
I have seen the message using:

Code: [Select]

find /var/qmail/queue -name 21234028| xargs cat | less
but there are HUGE headers...just 127.0.0.2 over and over again.

I´d like to know how to remove the message...I could delete that 21234028 file... but not sure if that is the right way.
I´m sure I´ll need remove more than just one file from qmail queue.
Can someone help me with this ?

About pluging about loopback addresss: I AGREE!!

[Jean-Philippe Pialasse]

there is definitively a bug here we need to resolve, as there is an infinity loop



I do not know how safe it is to delete from the qpsmtpd queue


I just tested and confirmed the bug on a server, I had the opposite approach,

define mail.p10361243119.s2599.jianzhanapp.com to an ip of another server I control or any ip of your lan  in /etc/hosts, and then used qmail handle to delete the mail

Code: [Select]

MESSAGE NUMBER 147776
 --------------
Received: (qmail 31579 invoked by uid 453); 27 Jul 2016 14:41:12 -0000
Received: from Unknown (HELO moi.pialasse.com) (127.0.0.2)
    by moi.pialasse.com (qpsmtpd/0.84) with SMTP; Wed, 27 Jul 2016 10:41:12 -0400
Received: (qmail 31574 invoked by uid 453); 27 Jul 2016 14:41:10 -0000
Received: from Unknown (HELO moi.pialasse.com) (127.0.0.2)
    by moi.pialasse.com (qpsmtpd/0.84) with SMTP; Wed, 27 Jul 2016 10:41:10 -0400
Received: (qmail 31564 invoked by uid 453); 27 Jul 2016 14:41:08 -0000
Received: from Unknown (HELO moi.pialasse.com) (127.0.0.2)
    by moi.pialasse.com (qpsmtpd/0.84) with SMTP; Wed, 27 Jul 2016 10:41:08 -0400
Received: (qmail 31559 invoked by uid 453); 27 Jul 2016 14:41:07 -0000
Received: from Unknown (HELO moi.pialasse.com) (127.0.0.2)
    by moi.pialasse.com (qpsmtpd/0.84) with SMTP; Wed, 27 Jul 2016 10:41:07 -0400
Received: (qmail 31552 invoked by uid 453); 27 Jul 2016 14:41:05 -0000
Received: from Unknown (HELO moi.pialasse.com) (127.0.0.2)
    by moi.pialasse.com (qpsmtpd/0.84) with SMTP; Wed, 27 Jul 2016 10:41:05 -0400
...
Received: from Unknown (HELO moi.pialasse.com) (127.0.0.2)
    by moi.pialasse.com (qpsmtpd/0.84) with SMTP; Wed, 27 Jul 2016 10:40:22 -0400
in only 2 minutes I had hundreds of lines , if it is days you have this message it might weight hundreds of megabytes.

[Jean-Philippe Pialasse]

bug openned there: https://bugs.contribs.org/show_bug.cgi?id=9704

[CharlieBrady]

bug openned there: https://bugs.contribs.org/show_bug.cgi?id=9704

You should have asked jader to open the bug. We need to ensure that he is following the bug, and providing all the information required.

[CharlieBrady]

but there are HUGE headers...just 127.0.0.2 over and over again.

You need to identify the earliest Received: header, to determine how the message was first injected into the queue.

[CharlieBrady]

We could possibly solve the load issue by denying relaying on the 127.0.0.2 address.

That should already be the case:

Code: [Select]

[root@sdfdsf ~]# cd /service/qpsmtpd/peers/
[root@sdfdsf peers]# ls -l
total 8
-rw-r--r-- 1 root root 13 Jan 20  2016 0
lrwxrwxrwx 1 root root  5 Jan 20  2016 127.0.0.1 -> local
lrwxrwxrwx 1 root root  5 Jan 20  2016 192.168.122 -> local
lrwxrwxrwx 1 root root  1 Jul  8 12:52 192.168.122.1 -> 0
-rw-r--r-- 1 root root 13 Jan 20  2016 local
[root@sdfdsf peers]#


[CharlieBrady]

define mail.p10361243119.s2599.jianzhanapp.com to an ip of another server I control or any ip of your lan  in /etc/hosts

jader has already tried modifying /etc/hosts - I don't think qmail looks there - just in DNS. A custom entry in /var/qmail/control/smtproutes should work.

[Jean-Philippe Pialasse]

jader has already tried modifying /etc/hosts - I don't think qmail looks there - just in DNS. A custom entry in /var/qmail/control/smtproutes should work.

it will need a service qmail restart anyway in both cases

[Jean-Philippe Pialasse]

That should already be the case:

Code: [Select]

[root@sdfdsf ~]# cd /service/qpsmtpd/peers/
[root@sdfdsf peers]# ls -l
total 8
-rw-r--r-- 1 root root 13 Jan 20  2016 0
lrwxrwxrwx 1 root root  5 Jan 20  2016 127.0.0.1 -> local
lrwxrwxrwx 1 root root  5 Jan 20  2016 192.168.122 -> local
lrwxrwxrwx 1 root root  1 Jul  8 12:52 192.168.122.1 -> 0
-rw-r--r-- 1 root root 13 Jan 20  2016 local
[root@sdfdsf peers]#


I feel it misses a
ln -s local 127.0.0 to have an effect on 127.0.0.2, 127.0.0.3 ...

[CharlieBrady]

I feel it misses a
ln -s local 127.0.0 to have an effect on 127.0.0.2, 127.0.0.3 ...

That's exactly what we don't want, since we want to prevent relaying via 127.0.0.2 (etc), not allow it.

[Jean-Philippe Pialasse]

then ln -s 0 127.0.0 ?

[Jean-Philippe Pialasse]

but still if we have 127.0.0.200 for fetchmail running do you  consider it local or remote ?

[Jáder]

I have several info to update on BUG... but need to know how to remove this message from queue.
Can someone post a howto here ?

The message has more than 21MB right now!

Code: [Select]

21238600 (9, 9/21238600)
  Return-path: gcontratos@xxxxx.com.br
  From: Renata Bassoa <gcontratos@xxxx.com.br>
  To: destinatarios-nao-revelados: ;
  Subject: =?UTF-8?Q?Pesquisa_de_satisfa=c3=a7=c3=a3o_-_1=c2=ba_Semestre_2016?=
  Date: Mon, 18 Jul 2016 08:53:25 -0300
  Size: 21744867 bytes


Code: [Select]

[root@andorinha ~]# cat /var/qmail/queue/mess/22/21237394|grep X-Virus-Checked|wc -l
53702
[root@andorinha ~]#