[exim] Re: smtp_accept_max & DDoS

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Slavko
Data:  
Para: exim ML
Assunto: [exim] Re: smtp_accept_max & DDoS
Dňa 13. mája 2023 11:55:36 UTC používateľ Andrew C Aitchison via Exim-users <exim-users@???> napísal:

>I don't think we can do the kill from within exim.


But is that needed? When timeout happens, socket is closed
and process ends.

>We may be able to get exim to fork a process that waits and then kills the stuck process, but once it it stuck a process cannot kill itself.


IMO when process stucks, that must be bug, the timeouts are
generally supposed to prevent processes to remain running
forever. Othervise we will have serious problem, as
connections can be lost in normal conditions too, especially
with nowadays as common mobile devices...

>I would still like to know where the delay is actually happening;


In my case, for "suspicious" connections i apply small delay
on every command. In case of normal auth it is in connect
ACL, HELO ACL and AUTH ACL (conditionaly based on
connections count).

Then delay happens on dovecot side, first is not explicit
delay, but AuthPolicy processing, where eg. DNS queries
can delay result, i have configured 6 sec timeout for response,
but almost all are finished under 4 secs, with 95 percentil
in hundreds milisecs. Then dovecot penalty happens if no
nopenalty (or so) arg was passed (which seems to be exim's
case, as i see 2 sec delay betveen lines in dovecot & exim
log lines). These dovecot's delays are always here if auth
fails...

Of course, AuthPolicy deamon can return reply with
explicit delay, but i don't use that.

As most of discussed connections are recognized as
"suspicious" and its count is not too high yet, the connection
tooks at least 8 sec until it gets failed auth response...

If connection is not suspicious and auth was success,
that tooks only some hundreds msecs in most cases,
including DNS queries and password hashing.

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/