Index: [Article Count Order] [Thread]

Date:  Mon, 12 Mar 2007 12:14:49 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.net>
Subject:  [coba-e:09102] Re: Dovecot/POP3 Flood
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <004801c764c1$90c1bc70$b2453550$@net>
In-Reply-To:  <7853B509BA765D40B8DACAEA2F64B2A4720CE6 (at mark) es005.gramtel.office>
References:  <001601c76299$d8edf420$8ac9dc60$ (at mark) net> <7853B509BA765D40B8DACAEA2F64B2A4720CE6 (at mark) es005.gramtel.office>
X-Mail-Count: 09102

Thanks Rusty.  This also explains why the reboot takes a little extra time:
dbrecovery takes some time to complete its work, thereby slowing the time
back to ready status.

-----Original Message-----
From: Rusty Waybrant [mailto:RWaybrant (at mark) gramtel.net] 
Sent: Monday, March 12, 2007 10:46 AM
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:09100] Re: Dovecot/POP3 Flood

After a reboot, the server would run "dbrecover" on start, which checks
the consistency of pwdb (password database that is used for all users
except for 'admin' and 'root').

You can manually run:
/etc/rc.d/init.d/dbrecover start
 

I've noticed if there is an issue with pwdb, it is usually not failing
authentication (drop the thick-client for troubleshooting and use
'telnet <server> pop3') but extremely slow authentication (30-60+
seconds, which is the reason for the errors). 

I've also noticed on high-traffic POP3 servers, you may this similar
issue as dictionary-attacks.

You will want to stop dovecot (or any service that might affected by
this, like xinetd [ftp] or admserv [httpd.admsrv]). Then kill any
processes that might be hung (usually 'dovecot-auth'). Then run
dbrecover, which may take a minute or two to run. Finally restart any
service you stopped. This usually fixes the issue without the need of a
reboot... 


Rusty

 

________________________________

From: Darrell D. Mobley [mailto:dmobley (at mark) uhostme.net] 
Sent: Friday, March 09, 2007 5:26 PM
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:09068] Dovecot/POP3 Flood



I started getting POP3 authentication errors on my server today, so I
logged on and tailed the maillog to see a POP3 flood using a dictionary
attack.  I blocked the offending source IP address in iptables, then
stopped dovecot to allow the server load to subside and then restarted
it.  It restarted normally, but I couldn't connect from my mail client
via POP3, the authentication continued to fail.  I ended up stopping and
restarting sendmail and saslauthd, thinking perhaps those needed
restarting.  No joy.  I tried stopping and restarting all the mail
server services in the GUI.  Still no joy.  I ended up rebooting the
server and everything came back up fine.

 

What sequence should I have used to stop and restart the mail services
correctly to avoid the reboot?