Re: [exim] 421 Too many concurrent connections from this cli…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Lena
Dátum:  
Címzett: exim-users
Régi témák: [exim]  421 Too many concurrent connections from this client
Tárgy: Re: [exim] 421 Too many concurrent connections from this client
> From: g18c
>
> We have a Kayako helpdesk, when e-mails come in from customers notifications are sent out by Kayako to a number of staff whose mailboxes are hosted on Rackspace mail servers.
>
> Rackspace policy is 5 connections to their mx1 and 3 connections to mx2.
>
> I noticed a large number of queued messages in Exim - when looking in Exim logs I can see many lines?2012-10-13 20:06:56 1TN72s-0007Cw-1l SMTP error from remote mail server after initial connection: host mx2.emailsrvr.com [173.203.2.32]: 421 Too many concurrent connections from this client.
>
> For our requirements if we send 1 email every 10 seconds or so, this would be OK.
>
> Messages to all other servers should go through a normal rates, only mx1.emailsrvr.com and mx2.emailsrvr.com should have this connection limit policy applied.

So, one connection is OK for you. Then in transport:

remote_smtp:
driver = smtp
serialize_hosts = mx1.emailsrvr.com : mx2.emailsrvr.com

At reboot: `rm -f /var/spool/exim/db/misc*`



>
> Is this possible?
>
> Many thanks,
>
> Chris
>
> ------------------------------
>
> Message: 11
> Date: Sat, 13 Oct 2012 14:40:24 -0700
> From: Phil Pennock <exim-users@???>
> To: James Mills <james.mills@???>
> Cc: "exim-users@???" <exim-users@???>, Todd Lyons
>     <tlyons@???>
> Subject: Re: [exim] strange resolver issue
> Message-ID: <20121013214024.GA40723@???>
> Content-Type: text/plain; charset=us-ascii

>
> On 2012-10-13 at 16:56 +0000, James Mills wrote:
> > Thanks Todd, spot on!
>
> Todd's great. :)
>
> > Got rid of the mdns entries in nsswitch.conf and all is fine now.
>
> You should probably try to transition away from assuming that .local is
> available via regular DNS -- consider this a wake-up call that there's
> an issue here, and changing nsswitch.conf has bought you time to manage
> a transition gracefully.
>
> Going forward, .local is de facto used for multicast DNS and that's not
> going to change, and is going to be embedded in more and more devices.
>
> I say this as someone who _likes_ zeroconf, mostly, and thinks it's a
> good idea. Home users adding devices to a network should not need to
> mess with zone-files; printers, media devices, ~everything just using
> multicast DNS just makes life easier. So this is going to continue.
> For businesses, cheap devices you buy are still going to assume zeroconf
> by default. Fighting that is making work for yourself, when there's so
> many other things that need time and attention. It likely makes more
> business sense to just abandon the domain and spend expensive staff time
> fighting issues that _need_ fighting.
>
> In July, IANA created a registry of "Special-Use Domain Names":
> https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xml
>
> Avoid anything in that, and if something you use appears in that, then
> you're fighting a losing battle and just plan on graceful evacuation.
>
> Note that with the swing to HTTPS/TLS for "everything" and wanting
> TLS certificates for internal services, I recommend that companies avoid
> using private TLDs for their internal network. If you manage your own
> in-house CA, you're probably okay, but otherwise you should plan on
> being able to buy a (cheap) cert even for internal services.
>
> Using a TLD such as .biz works; register example.biz and use that. So
> many people have .biz in blacklists for email, etc, that you'll not want
> to use that for a public-facing site, and it's not too hard to train
> non-technical folks that "company.com is public, company.biz is
> internal".
>
> -Phil
>
>
>
> ------------------------------
>
> Message: 12
> Date: Sat, 13 Oct 2012 14:47:54 -0700
> From: Phil Pennock <exim-users@???>
> To: Jonathan White <jw@???>
> Cc: exim-users@???
> Subject: Re: [exim] Centos Application Applience Routing mail to relay
> Message-ID: <20121013214754.GB40723@???>
> Content-Type: text/plain; charset=us-ascii
>
> On 2012-10-13 at 12:41 +0100, Jonathan White wrote:
> > When I run a debug it looks like Exim is trying to perform a DNS
> > lookup of 127.0.0.1
>
> > Eventually the lookup times out and the mail is sent. What's correct
> > way to resolve the issue? Is there further lookups to disable or can
> > exim resolve 127.0.0.1 via another method other than a DNS server?
>
> Put it in /etc/hosts.
>
> That _should_ work.
>
> Note that part of the issue here is that Exim assumes it can resolve the
> local hostname. "@" is Exim for "the hostname of the host that I'm
> running on".
>
> If you keep hitting DNS issues on the appliance, you might consider
> something like dnsmasq -- it's a server designed to be very small, for
> use on home routers where memory is tight. You can configure it with
> appropriate dummy data.
>
> (Note that /etc/hosts is not normally a good solution for DNS issues,
> just a way to store up issues for later, but I tend to believe that
> localhost and the hostname of the machine itself should be in
> /etc/hosts, so that basic self-resolution can work without a network
> connection).
>
> -Phil
>
>
>
> ------------------------------
>
> Message: 13
> Date: Sat, 13 Oct 2012 14:51:23 -0700
> From: Phil Pennock <exim-users@???>
> To: Damien Moore <damien@???>
> Cc: exim-users@???
> Subject: Re: [exim] how to implement a blacklist of IP addresses
> Message-ID: <20121013215123.GC40723@???>
> Content-Type: text/plain; charset=us-ascii
>
> On 2012-10-13 at 16:10 +0100, Damien Moore wrote:
> > I am using Exim 4.72 on Debian 6.0.6. I have dumped the Debian
> > configuration scheme and composed my own exim4.conf file based on the
> > sample supplied. I have successfully implemented a blacklist of sending
> > domains which works like this:
> >
> > acl_smtp_mail = acl_check_mail
> > acl_check_mail:
> >   deny    message          = Domain blacklisted locally
> >           sender_domains   = lsearch;/etc/exim4/senderdomains.blacklist

> >
> > where the file senderdomains.blacklist contains a list of this format:
> >
> > dirtyspammers.org
> > spamserver.lots-o-spam.net
> > dishitout.spammers.com
>
> In this case, you don't want "lsearch;", you just want to specify the
> file path itself, so that the matching is "one per line". lsearch is a
> way, loosely speaking, of looking for "key: value" lines by key and
> grabbing the value for use.
>
> > My question is how to do something similar with a list of IP addresses.
> > Would a similar structure be appropriate and where would it be put? Hope
> > this is not too easy.
>
> It should be:
> deny hosts = /etc/exim4/senderhosts.blacklist
>
> And don't worry about "too easy". If people complain about "too easy",
> I can cough at them and ask for people to help maintain the FAQ. :-D
>
> -Phil
>
>
>
> ------------------------------
>
> Message: 14
> Date: Sat, 13 Oct 2012 15:08:13 -0700
> From: Phil Pennock <exim-users@???>
> To: g18c <g18c@???>
> Cc: exim-users@???
> Subject: Re: [exim] ?421 Too many concurrent connections from this
>     client
> Message-ID: <20121013220813.GD40723@???>
> Content-Type: text/plain; charset=utf-8

>
> On 2012-10-14 at 00:50 +0400, g18c wrote:
> > We have a Kayako helpdesk, when e-mails come in from customers notifications are sent out by Kayako to a number of staff whose mailboxes are hosted on Rackspace mail servers.
> >
> > Rackspace policy is 5 connections to their mx1 and 3 connections to mx2.
> >
> > I noticed a large number of queued messages in Exim - when looking in Exim logs I can see many lines?2012-10-13 20:06:56 1TN72s-0007Cw-1l SMTP error from remote mail server after initial connection: host mx2.emailsrvr.com [173.203.2.32]: 421 Too many concurrent connections from this client.
> >
> > For our requirements if we send 1 email every 10 seconds or so, this would be OK.
> >
> > Messages to all other servers should go through a normal rates, only mx1.emailsrvr.com and mx2.emailsrvr.com should have this connection limit policy applied.
> >
> > Is this possible?
>
> You can increase the _likelihood_ of limiting yourself to a maximum
> number of connections per IP, but not be _sure_ to prevent it.
>
> If you can build a list of domains, then the easy way is to set the
> "queue_smtp_domains" option to a domain-list (which can be a lookup, per
> normal domain-list rules); mails to those domains won't be immediately
> delivered, but routing will have been done. A later queue runner will
> collect all emails to the same IP destination and shove them down one
> SMTP connection (subject to various maximum limits).
>
> So you then run a queue runner once per minute. If you _really_ need to
> pump more often, write a small script which sleeps 10 seconds between
> calling "exim -R @domain.to.trigger" (to avoid retrying messages for
> other domains).
>
> I might be missing a really easy way to extend this to hosts instead,
> but I'd try a dnsdb lookup for the special "mxh" keytype.
>
> Assuming Exim 4.77 or more recent, for the inlisti operation:
>
> queue_smtp_domains = ${if forany{${lookup dnsdb{mxh=$domain}}}{inlisti{$item}{mx1.emailsrvr.com:mx2.emailsrvr.com}} {*}{}}
>
> (untested!)
>
> That says "if, for any of the hostnames resulting from looking up the
> domain's MX records in DNS and taking the hostname part of the MX
> records, that hostname is in the list consisting of these two hosts,
> then '*', else the empty string", and results in a domainlist of one or
> zero items, used for matching.
>
> If you're using an older Exim release then:
>  (1) I of course encourage you to use Exim 4.80 and in general to stay
>      up-to-date
>  (2) in the meantime, you can nest a second forany{} inside the first
>      one, and try to stay sane while doing so.  That way lies madness
>      and despair in your debugging.  Use inlisti{needle}{hay:stack}
>      instead.  The "i" is case-Insensitive matching.

>
> -Phil
>
>
>
> ------------------------------
>
> Message: 15
> Date: Sat, 13 Oct 2012 23:10:54 +0100
> From: "Jonathan White" <jw@???>
> To: <exim-users@???>
> Subject: Re: [exim] Centos Application Applience Routing mail to relay
> Message-ID: <C96DF0418C7944E69191F92CA86DE06B@T500>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>     reply-type=original

>
> Thanks for the the reply Phil.
>
> I did think the /ect/hosts file would have been sufficient for Exim to
> resolve 127.0.0.1 or localhost but I do not think Exim is trying the hosts
> file first.
>
> This is what I have
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1       host01 localhost.localdomain localhost
> ::1             localhost6.localdomain6 localhost6

>
> I can ping localhost but not nslookup which I would expect as nslookup uses
> a DNS server to resolve the address.
>
> Do I need to tell Exim to use the hosts file?
> Is there an option to turn off all lookups and accept mail submitted by
> localhost?
>
> Best regards
>
> J
>
> -----Original Message-----
> From: Phil Pennock
> Sent: Saturday, October 13, 2012 10:47 PM
> To: Jonathan White
> Cc: exim-users@???
> Subject: Re: [exim] Centos Application Applience Routing mail to relay
>
> On 2012-10-13 at 12:41 +0100, Jonathan White wrote:
> > When I run a debug it looks like Exim is trying to perform a DNS
> > lookup of 127.0.0.1
>
> > Eventually the lookup times out and the mail is sent. What's correct
> > way to resolve the issue? Is there further lookups to disable or can
> > exim resolve 127.0.0.1 via another method other than a DNS server?
>
> Put it in /etc/hosts.
>
> That _should_ work.
>
> Note that part of the issue here is that Exim assumes it can resolve the
> local hostname. "@" is Exim for "the hostname of the host that I'm
> running on".
>
> If you keep hitting DNS issues on the appliance, you might consider
> something like dnsmasq -- it's a server designed to be very small, for
> use on home routers where memory is tight. You can configure it with
> appropriate dummy data.
>
> (Note that /etc/hosts is not normally a good solution for DNS issues,
> just a way to store up issues for later, but I tend to believe that
> localhost and the hostname of the machine itself should be in
> /etc/hosts, so that basic self-resolution can work without a network
> connection).
>
> -Phil
>
>
>
>
> ------------------------------
>
> Message: 16
> Date: Sat, 13 Oct 2012 15:55:35 -0700
> From: Todd Lyons <tlyons@???>
> To: Jonathan White <jw@???>
> Cc: exim-users@???
> Subject: Re: [exim] Centos Application Applience Routing mail to relay
> Message-ID:
>     <CAFG21ojPgdKwSxTEhdvawi_kTm1=zsR+N3Bgu6pLbtcwA6hXuQ@???>
> Content-Type: text/plain; charset=UTF-8

>
> On Sat, Oct 13, 2012 at 3:10 PM, Jonathan White <jw@???> wrote:
> > Thanks for the the reply Phil.
> >
> > I did think the /ect/hosts file would have been sufficient for Exim to
> > resolve 127.0.0.1 or localhost but I do not think Exim is trying the hosts
> > file first.
>
> As a wild guess, what does your hosts: line look like in your
> /etc/nsswitch.conf?
>
> ...Todd
> --
> The total budget at all receivers for solving senders' problems is $0.
> If you want them to accept your mail and manage it the way you want,
> send it the way the spec says to. --John Levine
>
>
>
> ------------------------------
>
> --
>
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
> End of Exim-users Digest, Vol 101, Issue 14
> *******************************************