Author: Jürgen Herz Date: To: exim-users Subject: [exim] Re: Connection refused: too many connections - why?
Tim Jackson wrote:
>> after few days running flawlessly, exim suddenly decides to fail.
>> I then find hundreds of
>> Connection from [some address] refused: too many connections
>> in the log file and 20 instances of exim running but idling.
>
> How do you know they were idling? What did "exiwhat" show?
exiwhat says "handling incoming connection from smtp-send.myrealbox.com
[151.155.5.143]". With idling I meant they don't consume CPU time.
>> And the log also doesn't show connection attempts right before the error
>> lines start.
>
> Have you got this logging turned on?
You mean
log_selector = +smtp_connection
that Phil mentioned? I didn't have that on, but have it now.
> Typically this thing happens when a/some spammer(s) decide to suddenly
> open a load of connections. I've seen the same thing with distributed
> attacks where a load of different (but clearly controlled-together)
> machines connect. Sometimes (for whatever reason) they hold the
> connections open, apparently not doing much, for quite a while.
This "hang" just happened again last night after only a few hours this
time. But since questionable connections being handled by all those
processes are from Myrealbox, I don't think it's a selective DOS. It's
just that I instructed Myrealbox to CC the server Exim is running on for
every incoming message.
> Limiting the number of connections per host to a small percentage of
> your available connections may help, although not in the case of a
> distributed attack as above.
