[Maia-users] lost connection after CONNECT (solved?)

[David Sims]

Hi,

  Not sure what the recommended relationship between the max number of
postfix smtpd processes is versus the max number of amavisd processes,
but I have done a bit of empirical research into this due to a transient
high volume of mail (an attack?) that was resulting in "lost connection
after CONNECT" error in the /var/log/mail.log....

  I was confronted with a high number of connections to port 25 seen with
netstat -ant, many of which were in the SYN_RECEIVED state and many others
in the TIME_WAIT state.... and little mail flowing... with lots of "lost
connection after CONNECT" in the mail.log... After a bit of research, I
have discovered that "lost connection after CONNECT" means that a TCP
connection was noticed by the mailer, but the client side went away before
any transaction took place... (timed out? or just some kind of attack?)...
When using telnet to connect to port 25, I discoverd an long time between
the connection notice and the postfix SMTP banner... (a really long
time)... so I upped the number of smtpd processes in postfix from 10 to 50
which seemed to help....

  Most of the smtp connections are now rejected by
'reject_unverified_recipient' and the connections clear quickly, allowing
legitimate connections to take place.... and few if any "lost connection
after CONNECT" errors in the log file.... Anyone have some thoughts about
this? What is a typial number of smtpd processes to allow? These don't
seem to take much resource.... I am currently allowing 7 amavis-maia
processes to run and this doesn't seem to be killing the machine, of
course, they may not all be taking traffic simultaneously... What are
others doing in this regard?

TIA,

Dave