[kwlug-disc] clearing close_wait
Fernando Duran
liberosec at yahoo.ca
Thu Mar 24 22:04:29 EDT 2011
----- Original Message ----
> From: John Van Ostrand <john at netdirect.ca>
> To: KWLUG discussion <kwlug-disc at kwlug.org>
> Sent: Thu, March 24, 2011 8:39:45 PM
> Subject: Re: [kwlug-disc] clearing close_wait
>
> ----- Original Message -----
> > Not related to CLOSE_WAIT but to prevent this issue of an IP opening a
> > lot of
> > connections you can setup the proper parameter in your mail server
> > (for example for Postfix
> > http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit
> > )
> > , xinited also can limit the number of simultaneous client
> > connections. Or directly from iptables using
> > connlimit: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
>
> Good direction Fernando.
>
> It's also a good idea to do a greeting delay. This works well for us. The idea
>is that your MTA accepts connections and if the remote IP is not on your
>network or localhost it enforces a 15 second delay before issuing the first 220
>message. Spam daemons don't wait for that and start the SMTP conversation. When
>the MTA sees traffic before issuing the 220 it rejects all commands for the
>session.
Yes, definitively.
For spam what has worked for me lately is the similar idea of greylisting
(apt-get install postgrey) and configuring in Postfix the blacklists (like
spamhaus and spamcop); spamassassin doesn't work well (spam is processed
anyways) and consumes a lot of CPU. But what I tell people asking me now about
mail servers is just go to gmail / google apps if they accept the possible
privacy issues and save the trouble.
---------------------
Fernando Duran
http://www.fduran.com
>
> --
> John Van Ostrand
> CTO, co-CEO
> Net Direct Inc.
> 564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6
> Ph: 866-883-1172 x5102
> Fx: 519-883-8533
>
> Linux Solutions / IBM Hardware
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
More information about the kwlug-disc
mailing list