Hello,
we've been using perdition as a pop3/pop3s/imap/imaps proxy for about
four years now, first with Debian Sarge package and now under Etch.
And throughout this time I've seen pop3s (and from the looks of it
the same happens with imaps) processes stuck in connect, like this:
---
16836 ? S 5:31 0 120 32179 2204 0.0 perdition.pop3s
28070 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
7782 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
24468 ? S 0:00 0 120 32311 1568 0.0 \_ perdition.pop3s: connect
14180 ? S 0:00 0 120 32311 1568 0.0 \_ perdition.pop3s: connect
13503 ? S 0:00 0 120 32311 1564 0.0 \_ perdition.pop3s: connect
---
They never die off, keep the connection open, there is no traffic and the
other end might be long gone. Last trace in the logs is always like this:
---
Feb 5 22:05:16 pp11 perdition[7782]: Connect: hi.mi.ts.u->203.216.5.113
---
It must be something related to the SSL'ness of these service, since I'm
not seeing this happening ever for imap/pop3. Alas a lot of people do use
TLS with those, so it's not a generic SSL issue. Maybe the master process
could kick a child handling connections in the head after "timeout"
seconds in connect state?
If more information is needed I can try to provide it, but note that with a
rate of roughly 35 pops per second I'm a bit weary to turn on
debugging. ^_-
This may or may not be related to another SSL related issue, which will
be for the sake of making searches in the archive more likely to find good
keywords in a separate mail.
Regards,
Christian
--
Christian Balzer Network/Systems Engineer NOC
chibi(a)gol.com Global OnLine Japan/Fusion Network Services
http://www.gol.com/
Hi Horms!
Modifications on *spec.in ( for vanessa_logger vanessa_adt
vanessa_socket perdition) are need for "rpmbuild -ta <name>.tar.gz" on
Fedora >7 ? systems (rpm ver 4.4.xx)
-> Copyright: GNU Lesser General Public Licence
-< License: GNU (or wherever)
Thanks for your magnific work ! :-)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello
Are there any plans for a new perdition release? With the changeable
ldap version via configuration file is at least one useful change in the
repository. Maybe experimental ipv6 support could also be added.
I'm also the FreeBSD maintainer of the perdition port and i would like
to bring this in the ports tree without maintaining too many local patches.
Regards,
Tom
- --
* Thomas Vogt UNIX System Engineer - SolNet AS9044 - PGP-3239B720 *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjbl6AACgkQGCwkYTI5tyC7PgCdGTBF7mM15RDR8ejuVo3EvUsz
5foAoIzS34h9IolJCRpqQ9G4k84iGtp/
=KoGU
-----END PGP SIGNATURE-----
Hi folks
OS- Debian Etch
Xen
postfix
courier
perdition
perdition-mysql
MySQL
Single public IP
Dom0 - Debian Etch workstation
Server-1, domU1 for routing with perdition and perdition-mysql
installed
Server-2, domU2, mail server for domain-A
Server-3, domU3, mail server for domain-B
etc.
This is server virtualization for testing. The whole system is working
nicely. Mails of domain-A are delivered to Server-2, mails of domain-B
delivered to Server-3, etc. Roaming clients can login their servers to
download mails. But they can't send mails via their server.
Please advise how to configure perdition allowing roaming clients to
send mails via their server. OR I have to use another solution? TIA
B.R.
Stephen L
Send instant messages to your online friends http://uk.messenger.yahoo.com
Is it possible to get the source code for perdition-pbs without installing
mercurial on my Solaris system? I'd rather not install python and
Mercurial on a system that doesn't otherwise need them.
Thanks
___________________________________
David Alix
Information Systems and Computing
David.Alix(a)isc.ucsb.edu
(805)893-4456
Hi,
Is it possible to store regular expressions in a mysql database? We have
over 13,000 RE's in our popmap.re and understandably each time a user
authenticates its taking a long time to process the request.
--
Best Regards,
Stephen
Hi,
Is it possible to proxy imap/pop3 connections based on the domain used in
the username? I'm trying to avoid having to enter in thousands of email
addresses into the popmap, instead having a wild card of *(a)domain.com ->
server1, *(a)domain1.com -> server2
thanks
--
Best Regards,
Stephen
Hello and a happy new year,
a couple of days ago one of our perdition servers exceeded the 1024 pop3
connections limit configured (normal usage is about 30-50 parallel
connections). I turned out that all these connections had been eaten up
by some customer trying to pop his email from China and instead of firing
off a connection every 2 minutes things seemed to fail on his end and
groups of 3-6 parallel connects (which failed in turn again) came hurtling
in.
We have been using perdition for over 4 years and have a huge customer
base with over 1.5 million pop3 connects per day and never seen anything
like this, so my guess here is that this is not (purely) a client thing
but that the grate(sic) firewall of China is involved, too.
Anyways, this is a typical example:
---
Jan 7 12:15:10 pp12 perdition[16881]: Connect: 218.1.143.164->203.216.5.113
Jan 7 12:15:10 pp12 perdition[16886]: Connect: 218.1.143.164->203.216.5.113
Jan 7 12:15:10 pp12 perdition[16889]: Connect: 218.1.143.164->203.216.5.113
Jan 7 12:38:19 pp12 perdition[16881]: io_read: read: Connection timed out
Jan 7 12:38:19 pp12 perdition[16881]: __token_fill_buffer: error reading input: Connection timed out
Jan 7 12:38:19 pp12 perdition[16881]: token_read: token_fill_buffer
Jan 7 12:38:19 pp12 perdition[16881]: read_line: token_read
Jan 7 12:38:19 pp12 perdition[16881]: pop3_in_get_pw: pop3_in_get_pw: read_line
Jan 7 12:38:19 pp12 perdition[16881]: main: protocol->in_get_pw
Jan 7 12:38:19 pp12 perdition[16881]: Fatal Error reading authentication information from client "218.1.143.164->203.216.5.113 ": Exiting child
---
Aside from being a good starting measure against a DoS attack in general a
feature where one could set a timeout for the maximum time that a process
is allowed to be in "connect" state (I would set this to 1 minute or less)
would be a very welcome addition.
The problem I raised in
http://lists.vergenet.net/pipermail/perdition-users/2008-February/001973.ht…
would benefit (as in workaround) from such a feature, too.
Regards,
Christian
--
Christian Balzer Network/Systems Engineer NOC
chibi(a)gol.com Global OnLine Japan/Fusion Network Services
http://www.gol.com/https://secure3.gol.com/mod-pl/ols/index.cgi/?intr_id=F-2ECXvzcr6656