• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Postix connections overload

euphbasio

Basic Pleskian
Hello all,

One of our systems has just started to show thousands of the below in its maillog, and performace is severely affected. Load balance is high.

Can anyone help with suggested solutions?

Many thanks.


Oct 3 10:58:24 pluto postfix/smtpd[27231]: lost connection after UNKNOWN from unknown[118.97.95.73]
Oct 3 10:58:24 pluto postfix/smtpd[27231]: disconnect from unknown[118.97.95.73]
Oct 3 10:58:24 pluto postfix/smtpd[27234]: lost connection after UNKNOWN from TOROON63-1279387425.sdsl.bell.ca[76.65.231.33]
Oct 3 10:58:24 pluto postfix/smtpd[27234]: disconnect from TOROON63-1279387425.sdsl.bell.ca[76.65.231.33]
Oct 3 10:58:24 pluto postfix/smtpd[27493]: lost connection after UNKNOWN from unknown[114.143.108.231]
Oct 3 10:58:24 pluto postfix/smtpd[27493]: disconnect from unknown[114.143.108.231]
Oct 3 10:58:24 pluto postfix/smtpd[27616]: connect from unknown[37.254.224.200]
Oct 3 10:58:25 pluto postfix/smtpd[27203]: lost connection after UNKNOWN from unknown[41.218.9.216]
Oct 3 10:58:25 pluto postfix/smtpd[27203]: disconnect from unknown[41.218.9.216]
Oct 3 10:58:25 pluto postfix/smtpd[27145]: connect from unknown[46.210.173.16]
Oct 3 10:58:25 pluto postfix/smtpd[27493]: connect from unknown[197.243.40.102]
Oct 3 10:58:25 pluto postfix/smtpd[27133]: lost connection after UNKNOWN from unknown[41.223.40.124]
Oct 3 10:58:25 pluto postfix/smtpd[27133]: disconnect from unknown[41.223.40.124]
Oct 3 10:58:25 pluto postfix/smtpd[27600]: lost connection after UNKNOWN from unknown[95.7.219.177]
Oct 3 10:58:25 pluto postfix/smtpd[27600]: disconnect from unknown[95.7.219.177]
Oct 3 10:58:25 pluto postfix/smtpd[27632]: lost connection after UNKNOWN from unknown[111.68.32.149]
Oct 3 10:58:25 pluto postfix/smtpd[27632]: disconnect from unknown[111.68.32.149]
Oct 3 10:58:25 pluto postfix/smtpd[27204]: connect from 41.252.7.226.ADSL.ZS1.dynamic.ltt.ly[41.252.7.226]
Oct 3 10:58:25 pluto postfix/smtpd[27213]: lost connection after UNKNOWN from unknown[41.71.150.55]
Oct 3 10:58:25 pluto postfix/smtpd[27213]: disconnect from unknown[41.71.150.55]
Oct 3 10:58:25 pluto postfix/smtpd[27215]: lost connection after UNKNOWN from unknown[87.252.141.24]
Oct 3 10:58:25 pluto postfix/smtpd[27215]: disconnect from unknown[87.252.141.24]
^XOct 3 10:58:25 pluto postfix/smtpd[27491]: lost connection after UNKNOWN from unknown[178.131.156.36]
Oct 3 10:58:25 pluto postfix/smtpd[27491]: disconnect from unknown[178.131.156.36]
Oct 3 10:58:25 pluto postfix/smtpd[27194]: lost connection after UNKNOWN from 239.106.94.80.static.monaco.mc[80.94.106.239]
Oct 3 10:58:25 pluto postfix/smtpd[27194]: disconnect from 239.106.94.80.static.monaco.mc[80.94.106.239]
Oct 3 10:58:26 pluto postfix/smtpd[27133]: connect from unknown[2.180.59.173]
Oct 3 10:58:26 pluto postfix/smtpd[27092]: lost connection after UNKNOWN from unknown[41.72.1.94]
Oct 3 10:58:26 pluto postfix/smtpd[27092]: disconnect from unknown[41.72.1.94]
 
Hi,

Thanks, though I'm not sure that's the problem. True enough the RDNS wasn't up to date, but it is now and I'm still seeing hundreds of failed connections.

Could you give any other suggestions?

Thanks,
 
Hey,

Does anyone have any hints for this one? Users are having a lot of difficulty connecting to send mail and I'm not sure where to go from here.

Thanks,

Nick
 
Can anyone help? My email is not working :(

My parallels outgoing anti-spam says that it's had 40,000 clean emails from 127.0.0.1 which is odd.

I am using a relay host and these haven't actually been sent anywhere. The postqueue is also empty.

Confused about this.
 
Last edited:
Hi

I am currently receiving the exactly the same. In my case it is a DoS attack and it looks like yours is the same. I am also getting a 'Keep Alive' DoS attack on one of the website of the same domain which started at the same time - about 3 weeks ago! So you may want to check for that also?

I have used Fail2Ban/IPset to ban the IPs but after a week (with over 70,000 IPs banned and hardly slowed!) I realised that the overhead of banning, what are almost certainly spoof IP addresses, was higher than leaving them to it. Since then, it is still there, annoyingly, in the background but the server is stable and the attacks use very little resources. I keep a careful eye on it to see if they have changed tactics, but so far still the same. I know there is a 'Keep Alive' DoS attack package available for download (I have downloaded it and it is ridiculously easy to set up and attack a website! It is fully automated, so you just leave it to go.) so I assume there is probably a very similar thing for the SMTP attack :-(

Edit: On the subject of your Parallels Outgoing Anti-Spam - Have you checked that your licence is valid for this product? There have been a LOT of cases where people have the service listed as available to the them, but when you start it, it runs OK for a while but then starts to give all sorts of problems (such as causing a MASSIVE CPU overhead on Postfix). Supposedly, these problems do not occur if the licence is valid, but I am not too sure about this. From what I can see, they have pulled sales of the product but I may be wrong on that.
 
Last edited:
Hi,

Thanks for your reply.

I've been digging around a bit on this and the level of traffic isn't THAT high and it suspiciously started at the same time as I am seeing sasl authentication problems from *some* email clients. I'm feeling that there is another issue at play.

I know that some of the dropped connections in my maillog (lost connection after UNKNOWN) are from customers' ips), so it looks like they're being booted before the SMTP conversation can take place.

Interestingly, if I telnet to the mail server from my home connection, the first command e.g. ehlo test.com always gives a "502 5.5.2 Error: command not recognized", the second attempt everything works fine. If that is happening some some other clients, would that explain the dropped connections?

Saying that, I've used various email server test facilities and they generally work fine.

Any suggestions very much appreciated.

Ooh, my outbound anti spam license is valid, the numbers went haywire when the above issue started. A bit odd :s
 
So I paid for support for this. So far the technical guys have left 2 typos in config files and broken passwd.db.

I've figure out the problem as being Parallel Anti Spam blocking 127.0.0.1. Could do with some instruction on viewing blocked addresses and managing the block list (effectively).
 
Back
Top