[Mailman-Users] Mailman server consuming entire Internet pipe (dual T1)

Wed Nov 24 19:55:29 CET 2010

Was scrolling through the maillog just now, nothing out of the ordinary other than list traffic that I can tell.

So no, all inbound mail comes to the Barracuda, gets cleaned and sent to the Mailman server.  Each day about 600 inbound junk mails get blocked and around 50 legit emails.  It is hosting just lists only, no other inbound or outbound mail.  Outbound does get sent directly out the Postfix and is not sent through any smart host.

Good question on the verifying recipients - not quite sure the exact answer - I think the mailman server is processing bounces because I'll see bounced emails in the log to "johnsmith at lists.mydomain.com does not exist".  So invalid recipients do seem to hit the Mailman server.  Maybe filtering recipients at the Barrcuda could help?

On the note of the traffic - today everything is fine.  Not sure why for 5 days it was consuming the pipe, but have not found any indication of an open relay or malicious intent.  We did throttle back the simulaneous connections, maybe that will help a bit.

My Postfix maillog shows a ton of these:

(lost connection with spool.santarosa.org[216.222.240.7] while sending end of data -- message may be sent more than once)   

and

(conversation with mail.laguna-hills.ca.us[68.203.215.26] timed out while sending end of data -- message may be sent more than once)  

 11,968 matches of (lost connection) and 9202 matches of (conversation with) in a log file covering 4 days (Nov 21 01:18 - Nov 24 9:07).

One thing that did change was the internal DNS servers on the network, I almost have to assume it has to do with that.....

-----Original Message-----
From: Andrew Hodgson [mailto:andrew at hodgsonfamily.org] 
Sent: Wednesday, November 24, 2010 10:34 AM
To: Scott Race; mailman-users at python.org
Subject: RE: [Mailman-Users] Mailman server consuming entire Internet pipe (dual T1)

Scott Race wrote:

[...]

>I've done some basic testing for open relays, so far I have not found anything indicating it's an open relay. Packet sniffing shows connections >from a number of IP addresses to the Mailman server.  Outside test shows the hostname is not an open relay, and I can't telnet on port 25 with >standard HELO command.  All internal mail comes to a Barrucuda spam filter unit.

>/usr/local/mailman/logs/post shows 19 posts today to the various lists.

The Postfix logs would be of more benefit I think here, as well as the mail queue.

You say you route mails through a Barracuda host, do you allow traffic directly into this machine on port 25 externally?  Is this machine hosting lists only, and if so, how is the Barracuda/Postfix server verifying recipients as early as possible (in case the domain is receiving large amounts of bounced mail and is rejecting with a full NDR and not a bounce at SMTP stage?  Does outbound mail get delivered direct from Postfix or are you smarthosting to the Barracuda?

Thanks.
Andrew. 