Topic: Too many connections: 10 >= 10. Waiting one second.

[mophilly]

Yes.  My guess is that you're missing the trailing "\" at the end of the port line in /var/service/sqpsmtpd/run (colored red in the extract below):
You would get the same behavior if the backslash is there but has a space after it - "\ " instead of "\"

And you are correct! That's fixed.

ran signal-event post-upgrade; signal-event reboot;
then...

Code: [Select]

ps auxwww |grep qpsmtpd
smelog    1173  0.0  0.0   3940   360 ?        S    16:54   0:00 /usr/local/bin/multilog t s5000000 n10 /var/log/sqpsmtpd
smelog    1182  0.0  0.0   3940   360 ?        S    16:54   0:00 /usr/local/bin/multilog t s5000000 n10 /var/log/qpsmtpd
qpsmtpd   2735  0.0  0.2  71908 16292 ?        S    16:55   0:00 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 25 -c 40 -m 5
qpsmtpd   2765  0.0  0.2  71908 16276 ?        S    16:55   0:00 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 465
root     11987  0.0  0.0 103324   868 pts/0    S+   16:59   0:00 grep qpsmtpd

The parameters are still missing. I must have over looked something, although I double checked the run script.

[ReetP]

And you are correct! That's fixed.

Lord there are some clever buggers round here

[mmccarn]

ran signal-event post-upgrade; signal-event reboot;

You shouldn't need to reboot to see if you've fixed it; stopping and starting sqpsmtpd is enough.

ps auxwww |grep qpsmtpd
root       963  0.0  0.0    108    28 ?        Ss   15:26   0:00 runsv qpsmtpd
root       992  0.0  0.0    108    28 ?        Ss   15:26   0:00 runsv sqpsmtpd
smelog    1018  0.0  0.0   3940   296 ?        S    15:26   0:00 /usr/local/bin/multilog t s5000000 n30 /var/log/sqpsmtpd
smelog    1028  0.0  0.0   3940   316 ?        S    15:26   0:00 /usr/local/bin/multilog t s5000000 n30 !/usr/local/bin/qplogsumm.pl /var/log/qpsmtpd
qpsmtpd   2464  0.0  0.7 119424 29432 ?        S    15:30   0:04 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -m 5 -c 40 -p 25
qpsmtpd   2622  0.0  0.7 119424 28484 ?        S    15:30   0:03 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 465 -c 10 -m 5

# edit /var/service/sqpsmtpd/run - move "-p ${PORT:-465}" to a different position

sv d sqpsmtpd
sv u sqpsmtpd

# ps auxwww |grep qpsmtpd
root       963  0.0  0.0    108    28 ?        Ss   Oct27   0:00 runsv qpsmtpd
root       992  0.0  0.0    108    28 ?        Ss   Oct27   0:00 runsv sqpsmtpd
smelog    1018  0.0  0.0   3940   316 ?        S    Oct27   0:00 /usr/local/bin/multilog t s5000000 n30 /var/log/sqpsmtpd
smelog    1028  0.0  0.0   3940   316 ?        S    Oct27   0:00 /usr/local/bin/multilog t s5000000 n30 !/usr/local/bin/qplogsumm.pl /var/log/qpsmtpd
qpsmtpd   2464  0.0  0.7 119424 29504 ?        S    Oct27   0:04 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -m 5 -c 40 -p 25
qpsmtpd   4683 20.3  0.4  71908 16256 ?        S    00:01   0:00 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -c 10 -m 5 -p 465

Here is my entire copy of /var/service/sqpsmtpd/run for reference:

Code: [Select]

#!/bin/sh
#----------------------------------------------------------------------
# copyright (C) 1999-2005 Mitel Networks Corporation
# Copyright (C) 2005-2006 Gordon Rowell <gordonr@gormand.com.au>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
#----------------------------------------------------------------------

exec 2>&1

[ -f ./runenv ] && . ./runenv

export QPSMTPD_CONFIG=/var/service/qpsmtpd/config

../qpsmtpd/control/1

exec /usr/local/bin/softlimit -d ${SOFTLIMIT:-25000000} -s ${SOFTLIMIT:-25000000} -l ${SOFTLIMIT:-25000000} \
  /usr/bin/qpsmtpd-forkserver \
-u qpsmtpd \
-l 0.0.0.0 \
-c ${INSTANCES:-40} \
        -m ${INSTANCES_PER_IP:-5} \
        -p ${PORT:-465}

#sub usage {
#        print <<"EOT";
#usage: qpsmtpd-forkserver [ options ]
# -l, --listen-address addr : listen on a specific address; default 0.0.0.0
# -p, --port P              : listen on a specific port; default 2525
# -c, --limit-connections N : limit concurrent connections to N; default 15
# -u, --user U              : run as a particular user (defualt 'smtpd')
# -m, --max-from-ip M       : limit connections from a single IP; default 5
#EOT
#        exit 0;
#}
#


[mophilly]

Thank you, again, for the detail. I revised the run script to use precisely the order of assigments in your example and restarted sqpsmtpd. Now the parameters appear as desired.

One remaining question: if this change allows sqpsmtpd to respect the limit per ip, is there still a need to apply the revision to fail2ban to trap specific log entries, suggested elsewhere?

[mmccarn]

One remaining question: if this change allows sqpsmtpd to respect the limit per ip, is there still a need to apply the revision to fail2ban to trap specific log entries, suggested elsewhere?

I don't know about the fail2ban trap; I'll leave that for others.

Be aware that the order of the arguments was not the solution to the CONCURRENCY_PER_IP problem - that turns out to be a problem with qpsmtpd-forkserver where it doesn't pay attention to CONCURRENCY_PER_IP until after it receives a HUP signal.  You can read more in comments 22-24 in this bug: https://bugs.contribs.org/show_bug.cgi?id=10639#c24

[mophilly]

Be aware that the order of the arguments was not the solution to the CONCURRENCY_PER_IP problem - that turns out to be a problem with qpsmtpd-forkserver where it doesn't pay attention to CONCURRENCY_PER_IP until after it receives a HUP signal.

Understood. I used copy and paste when I first modified the script with nano; perhaps an errant character was introduced that was removed when I edited the script this last time.

[mophilly]

a problem with qpsmtpd-forkserver where it doesn't pay attention to CONCURRENCY_PER_IP until after it receives a HUP signal.

After the latest changes, I let the system run and noticed the log reports x/10 in connect accepted messages. After a time this appeared in the log:

Code: [Select]

2018-10-28 14:14:21.279064500 32415 Accepted connection 9/10 from 174.138.53.173 / Unknown
2018-10-28 14:14:21.279125500 32415 Connection from Unknown [174.138.53.173]
2018-10-28 14:14:22.273792500 17583 Too many connections: 10 >= 10.  Waiting one second.

At that point, the users cannot send mail. Not sure what to consider next.

[bunkobugsy]

If you're willing to try... https://bugs.contribs.org/show_bug.cgi?id=10387#c19

uncomment  $qpsmtpd->load_plugins  at line 199 in /usr/bin/qpsmtpd-forkserver
and restart (at least sqpsmtpd and qpsmtpd)

[bunkobugsy]

Tried it myself, uncommenting $qpsmtpd->load_plugins at line 199 in /usr/bin/qpsmtpd-forkserver seems to fix CONCURRENCY_PER_IP problem.
The default 120 second timeout is still ignored (in the TLS plugin at least).

Don't know about any side effects of this patch, haven't tested long enough.

[bunkobugsy]

120 second timeout works regardless of this patch, but only on port 25/qpsmtpd.

Timeout not working on port 465/sqpsmtp must be a separate issue with TLS.

[dave simmons]

I seem to also have become a victim of this.  SME 9.2 with all updates applied, no additional contribs.

Sorry for my stupidity, but could someone please explain in simple terms what I need to do?

I've read the bugs linked and a coupe of other forum threads, but I'm no further 

If it helps, I have a second SME 9.2 which I haven't updated (forgot!) for about 6 months.  This is showing the same problem with connections, but this machine DOES drop the connections quickly enough that I don't have the "too many connections" message.  Maybe something wrong with an update?

I've also got a SME 8 machine running (naughty!) which handles this fine - excerpt from the log file -

"2018-11-16 09:50:05.822193500 2797 hosts_allow plugin (pre-connection): Too many connections from 159.89.18.60: 6 > 5Denying connection."

ETA:  Some googling brought up this from 2015 - https://forums.contribs.org/index.php?topic=51882.0

[TerryF]

I've read the bugs linked and a coupe of other forum threads, but I'm no further 

This:
uncomment  $qpsmtpd->load_plugins  at line 199 in /usr/bin/qpsmtpd-forkserver
and restart (at least sqpsmtpd and qpsmtpd)

Open that file in a suitable editor go to line 199  # $qpsmtpd->load_plugins
remove the # save the file and restart

This is the section the line is in, its from mine, I have removed the #:

endgrent;
$) = $groups;
POSIX::setgid($qgid) or die "unable to change gid: $!\n";
POSIX::setuid($quid) or die "unable to change uid: $!\n";
$> = $quid;

$qpsmtpd->load_plugins;

foreach my $addr (@LISTENADDR) {
    ::log(LOGINFO, "Listening on $addr->{addr}:$addr->{port}");
}
::log(LOGINFO,

 

[dave simmons]

TerryF - thank you - I have done this and will keep an eye on it!

[ReetP]

Rather than cluttering the thread I have added some updated fail2ban files and instructions for use here:

https://bugs.contribs.org/show_bug.cgi?id=8955

As a workaround, that seems to have stopped overloading connections for me.

[TerryF]

and it is very comprehensive, recommended.

Thanks John