In message <Pine.SOC.4.61.0501040939530.1114@???>,
Philip Hazel <ph10@???> writes
>On Wed, 29 Dec 2004, Richard Clayton wrote:
>
>> here's a little gem from some logs for a large ISP from Monday....
>
>Boggle.
I understand that this is not a one-off event -- some other ISPs have
seen the same effect :(
>> so after 22 minutes cluttering up the machine and 399 delivery attempts
>> (imagine the time would be with more timeouts and fewer refusals) it
>> finally goes to the fallback machine where it doesn't get in the way of
>> the real service that is being provided.
>>
>> Anyway, I'd suggest that hosts_max_try (at its default setting of 5)
>> isn't really sufficient in the face of (effectively) malicious DNS
>> contents...
>
>I don't understand why hosts_max_try didn't kick in during this process.
I think the problem may be (I have no traces of actual events, sorry,
just the log evidence I already posted) that there's quite a lot of
email to these destinations -- and hence Exim is re-trying addresses
that are already past their retry limits; and these don't count towards
the total. This was apparently a change made in 4.11
>It is indeed supposed to move on to a higher MX number if one exists,
>but then it should try only 5 IP addresses (at the default setting). I
>wonder why it didn't?
>
>> perhaps a hosts_total_try of 20 or so would be a useful
>
>The problem with that is the problem of bouncing.
indeed
>As I have tried to
>document in 30.4, Exim goes to some lengths to ensure that all possible
>IP addresses are tried before a message is bounced on a timeout. That
>seems to be a good general rule. Previously, when it didn't do this,
>less than optimum behaviour resulted.
what I'm suggesting is that sites that are not being silly may have a
fair number of "possible IP addresses" but not hundreds. If you think 20
is too low for such a count, then by all means arrange for
hosts_total_try to have a higher value ... but anything short of 399 is
going to be a gain here :)
>However, when there are hundreds of addresses to try, I can see that
>this isn't so good. But I'm not sure there is a better answer. Sigh.
>
>A general remark is that, whatever one tries to do, in an environment
>such as the Internet, which is based on mutual cooperation, it is always
>going to be possible for somebody to mount what is effectively a type of
>DoS attack.
yes indeed -- so what I'm suggesting is that an anti-DOS mechanism is
needed. An overall count seems more robust than complex calculations
with limiting the number of MXs tried or the number of IP addresses
attempted for each MX. However, there's clearly many ways to approach
the problem.
I can see that some cleverness is needed to deal with sites that
genuinely need a dozen fallback MXs -- though I note that people like
AOL who used to work that way no longer do so -- so I wonder how many
there are of these on today's Internet ?
- --
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
