More timeouts?
Richard Mealing
I have 3 servers that are not very busy, all running mailscanner and
sendmail. I don't know why but all the time the servers sendmail seems
to crash and not accept any mail, even though processes seem fine and
there are 150 - 200 sendmail processes running. Sometimes it just
starts accepting mail again, other times it just doesn't and I have to
killall -9 sendmail and restart the mta.
I'm using the very latest sendmail 8.14.4. I did post something last
week and was told to remove the ICONNECT which worked for a while, but
this is outgoing timeout and if my 3 servers can't accept mail then...
It just doesn't accept it.
Is this timeouts?
Here's my mc file -
divert(-1)
#
# Copyright (c) 1983 Eric P. Allman
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights
reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
the
# documentation and/or other materials provided with the
distribution.
# 3. All advertising materials mentioning features or use of this
software
# must display the following acknowledgement:
# This product includes software developed by the University of
# California, Berkeley and its contributors.
# 4. Neither the name of the University nor the names of its
contributors
# may be used to endorse or promote products derived from this
software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS''
AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF
# SUCH DAMAGE.
#
#
# This is a generic configuration file for FreeBSD 5.X and later
systems.
# If you want to customize it, copy it to a name appropriate for your
# environment and do the modifications there.
#
# The best documentation for this .mc file is:
# /usr/share/sendmail/cf/README or
# /usr/src/contrib/sendmail/cf/README
#
divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.34.2.3.4.1
2009/04/15 03:14:26 kensmith Exp $')
OSTYPE(freebsd6)
DOMAIN(generic)
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX
without
dnl your permission.
dnl FEATURE(relay_based_on_MX)
dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available
servers.
dnl For that, visit
dnl http://www.google.com/Top/Computers/Internet/E-mail/Spam/Blacklists/
dnl Uncomment to activate Realtime Blackhole List
dnl information available at http://www.mail-abuse.com/
dnl NOTE: This is a subscription service as of July 31, 2001
dnl FEATURE(dnsbl)
dnl Alternatively, you can provide your own server and rejection
message:
dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', ``"550 Mail from " $&
{client_addr} " rejected, see http://mail-abuse.org/cgi-bin/lookup?" $&
{client_addr}'')
FEATURE(`dnsbl',`list.dsbl.org')dnl
FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see:
http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&
{client_addr} " found in safe.dnsbl.sorbs.net"')dnl
FEATURE(`dnsbl',`b.barracudacentral.org', `"554 Rejected " $&
{client_addr} " found in: http://www.barracudacentral.org/lookups/ip-reputation"')dnl
#dnl Dialup users should uncomment and define this appropriately
#dnl define(`SMART_HOST', `your.isp.mail.server')
define(`confSMTP_LOGIN_MSG',`MyHOST Mail Filter Cluster - Node 7
[neta...@MyHOST.uk]')dnl
dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')
dnl # Disable TLS
define(`sm_enable_tls', `no')dnl
dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
define(`confMAX_MIME_HEADER_LENGTH', `256/128')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy,noreceipts')
define(`confTO_QUEUEWARN',`72h')dnl
define(`confMCI_CACHE_SIZE',`2')dnl
define(`confMCI_CACHE_TIMEOUT',`120s')dnl
define(`confQUEUE_LA', `60')dnl
define(`confTO_IDENT', `0')dnl
define(`confMAX_MESSAGE_SIZE',100000000)
FEATURE(`greet_pause', `1000')dnl
define(`confCONNECTION_RATE_THROTTLE', `0')dnl
define(`confMAX_RCPTS_PER_MESSAGE',`301')dnl
define(`confTO_COMMAND',`1m')dnl
define(`confTO_CONNECT', `3m')dnl
define(`confTO_HELO', `2m')dnl
define(`confTO_MAIL', `3m')dnl
define(`confTO_RCPT', `3m')dnl
define(`confTO_DATAINIT', `3m')dnl
define(`confTO_DATABLOCK', `5m')dnl
define(`confTO_DATAFINAL', `5m')dnl
define(`confTO_RSET', `1m')dnl
define(`confTO_QUIT', `1m')dnl
define(`confTO_MISC', `1m')dnl
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)
Jose-Marcio Martins da Cruz
> Hi,
>
> I have 3 servers that are not very busy, all running mailscanner and
> sendmail. I don't know why but all the time the servers sendmail seems
> to crash and not accept any mail, even though processes seem fine and
> there are 150 - 200 sendmail processes running. Sometimes it just
> starts accepting mail again, other times it just doesn't and I have to
> killall -9 sendmail and restart the mta.
>
> I'm using the very latest sendmail 8.14.4. I did post something last
> week and was told to remove the ICONNECT which worked for a while, but
> this is outgoing timeout and if my 3 servers can't accept mail then...
> It just doesn't accept it.
>
> Is this timeouts?
Last week, when you posted your problem about timeouts, I wondered why your internal servers were
taking more than 15 seconds (what you defined at ICONNECT) to answer. It seemed to me that it was
too long for servers in the same local network. It's Ok eventually, not not most of the time.
Although your 3 servers don't seem very busy, there may have long latencies (disk activity, CPU wait
times, ...).
You should investigate this kind of thing. Eventually, you can find a hint in log files.
Res
> Hi,
>
> I have 3 servers that are not very busy, all running mailscanner and
> sendmail. I don't know why but all the time the servers sendmail seems
> to crash and not accept any mail, even though processes seem fine and
> there are 150 - 200 sendmail processes running. Sometimes it just
> starts accepting mail again, other times it just doesn't and I have to
> killall -9 sendmail and restart the mta.
Is your DNS OK?
You are not using some defunct or high latency RBL ?
Oh yes you are...
> FEATURE(`dnsbl',`list.dsbl.org')dnl
^^^^^^^^^^^^^^
PING... This list has been dead for some time! Remove it!
--
Res
"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!
Richard Mealing
Res,
Thank-you. Well spotted. I wonder if that cures it..
I will report back tomorrow.!
Richard Mealing
Hi Res,
As far as I can see that's made no difference unfortunately. I think
Jose-Marcio is correct by thinking it could be the server load.
What I see is - Deferred: Connection reset by myhost.com - from my
relay server. I also have some monitoring software called nagios and I
repeatedly get smtp critical 141 codes maybe twice a day from each of
the 3 servers in the cluster.
When I push the mail through it goes through fine, just now I tried
and it didn't go through until the 3rd time I pushed some.
I don't think we ever had this issue until I came along and started
adding extra clamav signatures and things to improve the spam
scanning.
But when it happens, I look into the processes on top and nothing is
really doing much. I check the messages logs and there are some mx
issues but nothing big. I was having dns high memory loads but I've
fixed that now and it's still doing this.
I guess if there are no issues with my mc file it's got to be load.
Jose-Marcio Martins da Cruz
How frequently do you update your clamav signatures ? I don't know how your filter interfaces with
clamav, but if I'm right, clamd stops virus checking while it's updating, in memory, its signature
database, after downloading it. This can take some big seconds. During this interval, clamd accept
connections but defer handling them. You can see how long it takes on clamd log file. Check if it
happens at the same time as the problems. Try to update less frequently clamav signatures to see if
the problem goes away. Or temporarily disable the additionnal signatures, mainly if the signature
file is huge (this will decrease the delay to reload signatures in memory).
Also, If I'm right, mailscanner manages it's own mailqueue - so it can generate a lot disk activity
- and wait times.
Try to use iostat to evaluate the disk activity. top can give you some idea about CPU usage : see
"wait" and "idle". Also, you can put timeouts values back to their default in the cluster side. It's
useful to tune then in the mail relay connected to internet, but less useful in your internal
servers as they talk only to local peers.
I'm only guessing... 8-)
JM
Res
> Hi Res,
>
> As far as I can see that's made no difference unfortunately. I think
> Jose-Marcio is correct by thinking it could be the server load.
Hrmm thats a concern given you said the servers are not really that busy,
we used to use sendmail up front protecting qmail based backend (but
since made it more efficient by changing to postfix since it has native
mysql support and sendmail doesnt and never will) the sendmail
boxes ran mailscanner and easily handled 800 concurrent connections each.
> I don't think we ever had this issue until I came along and started
> adding extra clamav signatures and things to improve the spam
> scanning.
How are you using clam ? Via the clamd method? Some methods with
using clamav and mailscanner (and amavisd and I suspect all others) are
resource pigs :( What is your MailScanner batch's set to?
Key values to watch I think are...
Max Unscanned Bytes Per Scan = 100m
Max Unsafe Bytes Per Scan = 30m
Max Unscanned Messages Per Scan = 100
Max Unsafe Messages Per Scan = 30
Max Normal Queue Size = 1000
Virus Scanners = clamd
ClamAVmodule Maximum Recursion Level = 50
ClamAVmodule Maximum Files = 5000
ClamAVmodule Maximum File Size = 22000000
ClamAVmodule Maximum Compression Ratio = 250
...and using clamd
Clamd Port = 3310
Clamd Socket = /var/run/clamd/clamd.sock
Clamd Lock File = # /var/lock/subsys/clamd
Clamd Use Threads = no
> But when it happens, I look into the processes on top and nothing is
> really doing much. I check the messages logs and there are some mx
> issues but nothing big. I was having dns high memory loads but I've
> fixed that now and it's still doing this.
I'll dig out my old sendmail.mc......
define(`confDEF_USER_ID',``8:13'')dnl
define(`confTRUSTED_USER', `smmsp')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`ALIAS_FILE', `/etc/mail/aliases,/etc/mail/ecartis.aliases')dnl
define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`confLOG_LEVEL',`9')dnl
define(`confMAX_MESSAGE_SIZE', `20480000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `goaway,restrictqrun,restrictmailq')dnl
define(`confCONNECTION_RATE_THROTTLE', `150')dnl
define(`confMAX_DAEMON_CHILDREN',`400')dnl
define(`confMAX_QUEUE_CHILDREN',`800')dnl
dnl define(`confQUEUE_SORT_ORDER', `none')dnl
define(`confBAD_RCPT_THROTTLE',`2')dnl
define(`confTO_CONNECT', `5m')dnl
define(`confTO_MAIL', `5m')dnl
define(`confTO_DATAINIT', `3m')dnl
define(`confTO_DATABLOCK', `3m')dnl
define(`confTO_DATAFINAL', `10m')dnl
define(`confTO_RCPT', `5m')dnl
define(`confTO_COMMAND', `5m')dnl
define(`confTO_IDENT', `0s')dnl
define(`confTO_QUEUEWARN', `6h')dnl
define(`confTO_QUEUERETURN', `7d')dnl
define(`confQUEUE_LA', `50')dnl
define(`confREFUSE_LA', `100')dnl
define(`confSEPARATE_PROC',`True')dnl
define(`confDOUBLE_BOUNCE_ADDRESS',`')dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`greet_pause',`4000')dnl
FEATURE(`delay_checks')dnl
FEATURE(`compat_check')dnl
FEATURE(`require_rdns')dnl
FEATURE(`badmx')dnl
FEATURE(`block_bad_helo')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=25, Name=MTA')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl
MAILER(procmail)dnl
INPUT_MAIL_FILTER(`milter-regex',`S=unix:/var/run/milter-regex.sock,
T=S:30s;R:2m')dnl
INPUT_MAIL_FILTER(`smf-spf', `S=unix:/var/run/smfs/smf-spf.sock,
T=S:30s;R:1m')dnl