On Wed, Feb 11, 2009 at 04:08:57PM +1100, Ted Cooper wrote:
> environments differ a bit. Every new SMTP connection should be getting
> its own separate forked process with its own memory space which means
> there is something truly weird going on to end up sharing a PTR record
> between multiple processes.
Thanks for looking and let me clarify that it is rare but it has happened
several times in the past and again just recently. I've never been able to
reproduce it either. This is an older box running Fedora Core 4
(2.6.15-1.1833_FC4) and bind 9.3.1-14_FC4, so its entirely possible that
there's an issue there. (It just happens to be a box with a 950 day up
time which is ridiculously long compared to any other linux boxes I have)
> Could you post the Local/Makefile used to compile exim, "ldd -v
> /path/to/exim-4.69", your config file options for verify_hosts and maybe
> the connect ACL?
See below...
> * your ram is fragged
Possible, but this is the only issue that I see on this box and it handles
all SMTP including spamassassin and all of its DNS lookups and (separately)
DNS and doesn't appear to have problems, indeed its one of my most stable
boxes.
> * your resolver is fragged
Possible it is 9.3.1 from a FC4 build (so it could be that it is
vulnerable to the random port hijack vuln.), but it forwards all queries
onto open DNS's servers rather than handling them it itself.
> * maybe a strange bug with the light forking done by linux that does a
> copy on first use of memory but it somehow manages to use the parent
> memory space the first time and all subsequent forks copy the memory
> from the parent and don't clear it.
> * resolver library ended up with the same chunk of ram for a
> particular process and it doesn't clear the memory before use. Should
> eventually be fixed by a good lookup with that memory chunk.
I'm sure both are possible. The only reason I'm not sure if it is an
exim issue or a resolver issue is that it would seem reasonable that
if its a resolver issue it would happen everytime that look up is made.
Or at the least it would either randomly stop this behaviour or continue
this behaviour until the resolver restarts if it was a problem in the
DNS server.
But what I see is that the problem starts and then persists all day until
the end of the exim log file. When the next log file starts everything is
okay again. named is logging via syslog so even when the log files are
rotated named itself isn't restarted, but that same log rotation causes
exim to be re-exec'd. This would suggest that the problem goes away when
exim is restarted and thus the reason why I think the problem lies within
exim rather than in named.
Which is not any critism against exim, of course. I'm entirely open to
the idea that the probelm is in a lib which exim uses.
> * something not getting cleared somewhere :P
> * The static memory used by "gethostbyaddr()" is somehow not getting
> cleared and magically returns the same thing all the time?
That something isn't being cleared would be my guess, but I have no idea
what since if it resolves both forwards and backwards then there's no
problem and I would think would mean it would clear out whatever is
"getting stuck". But the box is pretty old so I'm willing to accept that it
could be a resolver lib issue so I should probably get BIND upgraded and
re-address the issue if I see this problem again in the future.
Anyway thanks for your time. Here are the files you asked to see:
sid# cat /usr/local/src/mail/exim/exim-4.69/Local/Makefile | sed -e
'/^#/d' -e '/^$/d'
BIN_DIRECTORY=/usr/exim/bin
CONFIGURE_FILE=/usr/exim/configure
EXIM_USER=exim
SPOOL_DIRECTORY=/var/spool/exim
INCLUDE=-I/usr/local/BerkeleyDB/include -I/usr/local/include/spf2
-I/usr/local/include/cdb
ROUTER_ACCEPT=yes
ROUTER_DNSLOOKUP=yes
ROUTER_MANUALROUTE=yes
ROUTER_REDIRECT=yes
TRANSPORT_APPENDFILE=yes
TRANSPORT_AUTOREPLY=yes
TRANSPORT_PIPE=yes
TRANSPORT_SMTP=yes
SUPPORT_MAILDIR=yes
LOOKUP_DBM=yes
LOOKUP_LSEARCH=yes
LOOKUP_CDB=yes
LOOKUP_DNSDB=yes
WITH_CONTENT_SCAN=yes
FIXED_NEVER_USERS=root
HEADERS_CHARSET="ISO-8859-1"
LOG_FILE_PATH=/var/log/exim_%s.log
SYSLOG_LOG_PID=yes
EXICYCLOG_MAX=10
COMPRESS_COMMAND=/usr/bin/gzip
COMPRESS_SUFFIX=gz
ZCAT_COMMAND=/usr/bin/zcat
EXIM_PERL=perl.o
SYSTEM_ALIASES_FILE=/etc/aliases
TMPDIR="/var/spool/exim/tmp"
SUPPORT_MOVE_FROZEN_MESSAGES=yes
sid# ldd -v /usr/exim/bin/exim-4.69-1
linux-gate.so.1 => (0x0074f000)
libresolv.so.2 => /lib/libresolv.so.2 (0x47dc9000)
libnsl.so.1 => /lib/libnsl.so.1 (0x41d14000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x47cb3000)
libm.so.6 => /lib/libm.so.6 (0x47c82000)
libdb-4.4.so => /usr/local/BerkeleyDB/lib/libdb-4.4.so (0x0043d000)
libdl.so.2 => /lib/libdl.so.2 (0x47c69000)
libutil.so.1 => /lib/libutil.so.1 (0x47c6f000)
libpthread.so.0 => /lib/libpthread.so.0 (0x47da0000)
libc.so.6 => /lib/libc.so.6 (0x47b3e000)
/lib/ld-linux.so.2 (0x47b20000)
Version information:
/usr/exim/bin/exim-4.69-1:
libcrypt.so.1 (GLIBC_2.0) => /lib/libcrypt.so.1
libdl.so.2 (GLIBC_2.1) => /lib/libdl.so.2
libdl.so.2 (GLIBC_2.0) => /lib/libdl.so.2
libresolv.so.2 (GLIBC_2.2) => /lib/libresolv.so.2
libm.so.6 (GLIBC_2.0) => /lib/libm.so.6
libpthread.so.0 (GLIBC_2.2) => /lib/libpthread.so.0
libpthread.so.0 (GLIBC_2.0) => /lib/libpthread.so.0
libc.so.6 (GLIBC_2.3) => /lib/libc.so.6
libc.so.6 (GLIBC_2.2) => /lib/libc.so.6
libc.so.6 (GLIBC_2.1.2) => /lib/libc.so.6
libc.so.6 (GLIBC_2.1) => /lib/libc.so.6
libc.so.6 (GLIBC_2.0) => /lib/libc.so.6
/lib/libresolv.so.2:
libc.so.6 (GLIBC_2.1.3) => /lib/libc.so.6
libc.so.6 (GLIBC_PRIVATE) => /lib/libc.so.6
libc.so.6 (GLIBC_2.3) => /lib/libc.so.6
libc.so.6 (GLIBC_2.2) => /lib/libc.so.6
libc.so.6 (GLIBC_2.1) => /lib/libc.so.6
libc.so.6 (GLIBC_2.0) => /lib/libc.so.6
/lib/libnsl.so.1:
libc.so.6 (GLIBC_2.1.3) => /lib/libc.so.6
libc.so.6 (GLIBC_2.1.1) => /lib/libc.so.6
libc.so.6 (GLIBC_2.2) => /lib/libc.so.6
libc.so.6 (GLIBC_2.2.3) => /lib/libc.so.6
libc.so.6 (GLIBC_2.0) => /lib/libc.so.6
libc.so.6 (GLIBC_2.1) => /lib/libc.so.6
/lib/libcrypt.so.1:
libc.so.6 (GLIBC_2.1.3) => /lib/libc.so.6
libc.so.6 (GLIBC_2.0) => /lib/libc.so.6
/lib/libm.so.6:
ld-linux.so.2 (GLIBC_PRIVATE) => /lib/ld-linux.so.2
libc.so.6 (GLIBC_2.1.3) => /lib/libc.so.6
libc.so.6 (GLIBC_2.0) => /lib/libc.so.6
/usr/local/BerkeleyDB/lib/libdb-4.4.so:
libc.so.6 (GLIBC_2.3) => /lib/libc.so.6
libc.so.6 (GLIBC_2.1.3) => /lib/libc.so.6
libc.so.6 (GLIBC_2.1) => /lib/libc.so.6
libc.so.6 (GLIBC_2.2) => /lib/libc.so.6
libc.so.6 (GLIBC_2.0) => /lib/libc.so.6
libpthread.so.0 (GLIBC_2.0) => /lib/libpthread.so.0
libpthread.so.0 (GLIBC_2.2) => /lib/libpthread.so.0
libpthread.so.0 (GLIBC_2.3.2) => /lib/libpthread.so.0
/lib/libdl.so.2:
libc.so.6 (GLIBC_2.1.3) => /lib/libc.so.6
libc.so.6 (GLIBC_2.1) => /lib/libc.so.6
libc.so.6 (GLIBC_2.0) => /lib/libc.so.6
Yes, I know its horrid, but I have old hardware, no budget and too much spam
# {{{ ====== acl_check_connect
acl_check_connect:
accept
hosts = :
defer
message = Load is too high (load=$load_average)
condition = ${if > {$load_average}{10000}{yes}{no}}
accept
hosts = +relay_from_hosts:+accepted_hosts
logwrite = <A R=$sender_host_address is listed as local accept host
# These are servers that are whitelisted as good senders:
accept
dnslists = list.dnswl.org
logwrite = <A R=$sender_host_address whitelisted in dnswl.org ($dnslist_value). Skipping acl_check_connect
accept
dnslists = query.bondedsender.org=127.0.0.10
logwrite = <A R=$sender_host_address in bondedsender.org
# Drop based on IP address of network first:
drop
log_message = R=Too much spam/phishing scams from sender network [$sender_host_address]
message = Due to the large number of spam bots on your ISP's network/phishing scam mails from your host we no longer accept mail from this network. You must use your ISP's mail servers to contact this customer.
hosts = 82.77.206.0/23:84.247.48.0/20:81.196.0.0/16:58.120/13:81.196.64.0/19:59.32.0.0/12:66.98.128.0/17:85.84.0.0/14:12.149.232.78:66.98.128.0/17:216.7.170.152:205.196.210.16:69.30.199.66:220.88.0.0/13:61.72.0.0/14:61.78.0.0/13:205.196.218.12:211.5.172.6:216.127.64.0/19:69.72.176.74:81.18.79.0/24:69.30.199.66:82.76.0.0/14:67.15.0.0/17:67.15.128.0/18:67.15.192.0/19:67.15.224.0/20:216.127.64.0/19:66.194.250.231:72.29.5.161:81.198.44.0/22:62.101.160.0/19:205.162.40.0/21:205.183.255.192/26:65.36.166.88:204.14.108.122
drop
log_message = R=MX spam host
message = Sending Spam is a violation of our Terms of Service
condition = ${if and { \
{ match {$sender_host_name} {^mx[0-9][0-9][0-9]+} } \
{ ! match {$sender_host_name} {(?:belgacom.be|rm0[0-9]\.net)} } \
} {yes}{no} }
drop
log_message = R=Too many spam bots on ISP network (Connect ACL) SF=$sender_fullhost SH=$sender_host_name SI=$sender_host_address
message = Due to the large number of spam bots on your ISP's network we no longer accept mail from this network. You must use your ISP's mail servers to contact this customer.
condition = ${if \
or { \
{ and { \
{ match {$sender_host_name} {\N\b(?:arpa|[arxhe]?dsl[0-9b]*|cpe|d(?:Hosting Control Panel|ial(?:-?up)?|[iu]p[0-9]*|yn(?:amic)?(?:ip)?)|hsia|cable|bbb|slip|p(?:pp(?:oe)?|ool|host-?ip))[-.]\N} } \
{ !match {$sender_host_name} {\N\bdsl\.net\N} } \
} \
} \
{match {$sender_host_name} {\N(?:h(?:ost)?|client|d(?:[iu]p)?|[arxhe]d?sl)?-?[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-?\.(?:digitalputty\.com|.*\.speeduol\.com\.br|touchtelindia\.net|bbt\.net\.ar|tfn\.net\.tw|client\.insightbb\.com|.speedy\.com\.(?:ar|pe)|[a-z]+\.wideopenwest\.com|fibertel\.com\.ar|covad\.net|choiceone\.net|fuse\.net|midco\.net|vnet\.hu|(?:phnx|hlrn)\.qwest\.net|hinet-ip\.hinet\.net|client\.dsl\.net|oxfordnetworks\.net|bna\.bellsouth\.net|[a-z]+\.(?:adelphia|inreach)\.net|[a-z0-9]+\.covad\.net|\.speedy\.net\.pe|citykom.de|inter.net.il|evc\.net|ip-.*\.telefonica-ca\.net)\N} } \
{ match {$sender_host_name} {\N(?:\.[a-z][a-z]\.(?:vtr|comcast|charter)\.(?:com|net)|\.client.mchsi.com|\.ip\.alltel\.net|catv.broadband.hu|uddi\.blueyonder\.co\.uk|\.fbx\.proxad\.net|vds-.*amen-pro.(?:fr|com)|(?:cpe-.*|\.res)\.rr\.com|[a-z]+\.pacbell\.net|pooles\.rima-tde\.net|catv\.broadband\.hu|[0-9]\.netvisao\.pt|kabel\.netvisit\.nl|bb\.netvision\.net\.il|[0-9]\.interbusiness\.it|\.abo\.wanadoo\.fr|net[0-9-]+\.noos\.fr|^chello.*\.surfer\.at|\.user\.auna\.net|\.customer\.telesp\.net\.br|(?:(?:c[0-9a-f]{7}\.|[0-9]\.[a-z]{3})\.virtua|\.user\.veloxzone)\.com\.br|\.static\.tfn\.net\.tw|^chello[0-9]+\.chello\.[a-z]{2}|upc-.\.chello.nl|vie\.surfer\.at|wiley-[0-9-]+\.roadrunner\.nf\.net|^zaq\..*\.zaq\.ne\.jp|.*\.rev\.gaoland\.net|\.(?:red|cablep|pop)\.bezeqint.net|\.zappmobile\.ro|catv-pool\.axelero\.hu|onocable\.ono\.com|net\.novis\.pt|\.client\.across\.or\.jp|-[0-9]+\.wind\.ne\.jp|^cm[0-9a-z]+\.red\.mundo-r\.com|p[0-9]+\..*(?:nttpc|ocn)\.ne\.jp|host[0-9-]+\.range[0-9]+-[0-9]+\.btcentralplus\.com|fibernet\.bacs-net\.hu|[0-9-]+\.is\.net\.pl|[0-9]+\.coninsalt\.ro)$\N} } \
{ match {$sender_host_name} {\N(?:\.bb\.online\.no|cust\.bezeqint\.net|ds[0-9]+-[0-9]+\.1scom\.net|c(?:-[0-9]+)+\.hsd[0-9]\.[a-z]\+\.comcast\.net|wc-[0-9]+.r(?:-[0-9]+)+\.essentkabel\.com|h[0-9.]+ip\.alltel\.net|^vds-[0-9]+\.amen-pro\.com|host[0-9]+\.[0-9-]+\.telecom\.net\.ar|(?:[0-9]+\.){4}(?:ptr\.us\.xo\.net|cust\.bluewin\.ch)|[a-z]+blog[a-z]+\.info|internetdsl\.tpnet\.pl|ads\.vi\.net|softbank[0-9]+\.bbtec\.net|mobilestorm\.com|pppool\.de|www[0-9][0-9][0-9]|^cm(?:-[0-9]+)+\.telecable\.es|[0-9.-]+\.cust\.bluewin\.ch|.*\.staticip\.rima-tde\.net|[0-9]+-[0-9]+.codetel\.net\.do|[a-z]+[0-9]+\.[a-z]+[0-9]+\.maxonline\.com\.sg|user\.ajato\.com\.br)$\N} } \
} {yes}{no} }
accept
# }}}