Hi,

My exim is very often victim of dictionnary attack ... and spam attack (especially on one domain i host... )... But since i use MailScanner and he's eating a lot of memory... when i attacked that way, my server becomes very slow...
Am i the only one with load problem because of exim ??

So i want to limit exim...
here's some stuff i found:
http://cedar-solutions.com/JSPWiki/Wiki.jsp?page=EximLoad

Do you recommend these settings ? Are they too strict ??

Also, on a more general note, i would like to know where in the exim configuration editor in whm do i have to set these option ???
It's easy when i just "vi exim.conf" ... but they will be overwrited by cpanel update/upgrade, etc...

Thanks for your help :)

Not sure on the settings, but as far as where the editor is in WHM: Service Configuration->Exim Configuration Editor->Switch to Advance Mode :)

It's easy when i just "vi exim.conf" ... but they will be overwrited by cpanel update/upgrade, etc...It is recommended to use the WHM Exim Advanced Configuration Editor only when making changes to the exim.conf file. It will not be interferred with by a cPanel upgrade and there are safety measures in place to prevent syntax errors from restarting Exim. In other words you should never do a manual edit of exim.conf.

Galcom's location of the advanced editor is spot on ;)

If you have BFD installed then the exim rules will slow you down like a heavy rock in your pocket would running the 100 meters. Exim with Mailscanner will do the job much better.
Delete or rename the file /user/local/bfd/rules/exim

If you have APF installed then another file that will slow you down heaps is /etc/apf/deny_hosts.rules.
It will fill up with lots of hosts that have been denied and bog down your server while it checks them all. Only keep a comfortable quantity like a week or 2 or even the current month and keep this file trim from time to time.
HTH

:)

If you have APF installed then another file that will slow you down heaps is /etc/apf/deny_hosts.rules.
It will fill up with lots of hosts that have been denied and bog down your server while it checks them all. Only keep a comfortable quantity like a week or 2 or even the current month and keep this file trim from time to time.


This is so true. We occasionally see customers with huge numbers of IPs in /etc/apf/deny_hosts.rules. I think I'll setup something to notify these people when they exceed some threshold, and remind them to prune it.

What's a too high number? 1K? 10K? I have seen as high as 55K.

charles

:)

ls -al /etc/apf/deny_hosts.rules
-rw-r----- 1 root root 21955 Jan 18 15:54 /etc/apf/deny_hosts.rules

I meant what was a large number of IPs to block (or lines in the file). Do a

wc -l /etc/apf/deny_hosts.rules

for an approximation (there is a 35 line header and sometimes a 2 line comment per block rule).

charles

i had 600 lines ...
i deleted some of them...

I kept everything from january 1 2006 ...
I'm now 340 lines...

But about the way to edit the exim conf with the advanced editor... Can you tell me if i have to add the settings in the first section ? The changes are intended to be added to the main section i believe...

If you don't know or you're not sure, i'll simply add a comment and see if it was added in the correct section ... :)

I'm honestly not sure where to put the exim changes. Best to experiment with comments as you said.

charles

ok,
i added those lines:

smtp_accept_max_per_host = 5
queue_run_max = 5

i hope it will work ... because again today, a dictionnary or spam attack probably did kill my server for few moments... My services was restarted...

also, i commented out all the line in the ..../rules/exim and did the same for /rules/sendmail because they were looking at the same log file... not sure if it was usefull but anyway...

I wasn't sure if renaming the file will prevent it from running ... I didn't want to move it and then lose it :)

...My exim is very often victim of dictionnary attack ... and spam attack (especially on one domain i host... )... Did you take a look at this which might help stop those dictionary attacks. This is a highly recommended addition.

http://www.configserver.com/free/eximdeny.html

:)

Hi izzy,
thanks for your link ... but i already have it installed... and it works ;)
but still takes some load when the attacks occurs ...

But i believe the recent config option i added really changed the situation... i didn't had any problem since that day... I didn,t have a lot of time to monitor ...
At least, i didn,t received anything about services that failed ;)

Thats great news and looks like a good solution all round.

:)