From: Jim H. - U. H. <hos...@uu...> - 2008-11-17 05:07:54
|
> From: "Murray S. Kucherawy" <ms...@se...> > > On Sat, 8 Nov 2008, Jim Hermann - UUN Hostmaster wrote: > > Why does my dkim-filter make and keep open so many connecting to my > > upstream DNS? > > [...] > > Just to be precise, there's no such thing as a UDP > "connection", just a > socket that gets reserved for communication with a particular source. > > Are you compiling with USE_ARLIB enabled? If so, that might > be something > we can address by fixing that library. If not, your > operating system's > resolver library is responsible for the sockets. I was not using the asynchronous (ARLIB) resolver, so I compiled dkim-filter version 2.7.0 with define(`bld_USE_ARLIB', `True'). After a week with the new dkim-filter, there are 25 netstat udp entries for my Upstream Nameserver #1 and 5 entires for the local nameserver, all for dkim-filter. None of my other milters leave these netstat udp entries. I use milter-greylist, milter-link, and milter-spiff, all use DNS lookups. The only other difference is that dkim-filter uses a port to communicate with Sendmail, while the other milters use UNIX sockets. DKIM does not release the tcp ports either. It has 6 tcp ports open to port XXXX on the local machine. Here are my Sendmail settings: Xdkim-filter, S=inet:XXXX@localhost, T=S:1m;R:1m Thanks for the help. Jim ----- Jim Hermann <hostmaster@UUism.net> UUism Networks <http://www.UUism.net> Ministering to the Needs of Online UUs Web Hosting, Email Services, Mailing Lists ----- |
From: Jim H. - U. H. <hos...@uu...> - 2008-11-22 05:05:36
|
> ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 18 Nov 2008 23:26:34 -0800 (PST) > From: "Murray S. Kucherawy" <ms...@se...> > Subject: Re: [dkim-milter-discuss] dkim-filter connections to upstream > nameservers > To: dkim-milter general discussion > <dki...@li...> > Message-ID: <200...@pr...> > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > If you have "lsof" installed, using it on your dkim-filter > process would > be really helpful in corroborating what "netstat" is > claiming. I would > trust the output of "lsof" before that of "netstat" in terms > of tracking > down a possible problem. What do you make of this? # dkim-filter -V dkim-filter: Sendmail DKIM Filter v2.7.0 Compiled with OpenSSL 0.9.8i 15 Sep 2008 Supported signing algorithms: rsa-sha1 rsa-sha256 Supported canonicalization algorithms: relaxed simple Active code options: POPAUTH QUERY_CACHE # ps -A | grep dkim 4170 ? 00:06:39 dkim-filter # lsof -p 4170 | grep -c UDP 77 # netstat -anp | grep dkim | grep -c udp 77 # lsof -p 4170 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME dkim-filt 4170 milter cwd DIR 8,1 4096 2 / dkim-filt 4170 milter rtd DIR 8,1 4096 2 / dkim-filt 4170 milter txt REG 8,5 1094531 632152 /usr/bin/dkim-filter dkim-filt 4170 milter mem REG 8,1 126576 16481 /lib/ld-2.3.6.so dkim-filt 4170 milter mem REG 8,1 1481808 14777 /lib/libc-2.3.6.so dkim-filt 4170 milter mem REG 8,1 16244 14812 /lib/libdl-2.3.6.so dkim-filt 4170 milter mem REG 8,1 27660 14751 /lib/libcrypt-2.3.6.so dkim-filt 4170 milter mem REG 8,1 101680 16482 /lib/libpthread-2.3.6.so dkim-filt 4170 milter mem REG 8,1 91700 14728 /lib/libnsl-2.3.6.so dkim-filt 4170 milter mem REG 8,1 974284 14721 /lib/tls/i686/libdb-4.3.so dkim-filt 4170 milter mem REG 0,0 0 [heap] (stat: No such file or directory) dkim-filt 4170 milter mem REG 8,1 46640 14705 /lib/libnss_files-2.3.6.so dkim-filt 4170 milter mem REG 8,5 304508 531284 /usr/lib/libbind.so.3.0.8 dkim-filt 4170 milter mem REG 8,1 26100 14826 /lib/libnss_ensimvwh.so.2 dkim-filt 4170 milter 0u CHR 1,3 2178 /dev/null dkim-filt 4170 milter 1u CHR 1,3 2178 /dev/null dkim-filt 4170 milter 2u CHR 1,3 2178 /dev/null dkim-filt 4170 milter 3r REG 8,1 9702 48433 /etc/mail/dkim-filter.conf dkim-filt 4170 milter 4u IPv4 191349481 TCP localhost.localdomain:9990 (LISTEN) dkim-filt 4170 milter 5r REG 8,1 40960 46996 /etc/mail/popip.db dkim-filt 4170 milter 6u unix 0xc6d49880 191349486 socket dkim-filt 4170 milter 7u IPv4 197825278 UDP host.uuserver.net:35578->ns11-c.fastdns.net:domain dkim-filt 4170 milter 8u IPv4 197696258 UDP host.uuserver.net:34668->ns11-c.fastdns.net:domain dkim-filt 4170 milter 9u IPv4 195370450 UDP host.uuserver.net:36327->ns11-c.fastdns.net:domain dkim-filt 4170 milter 10u sock 0,4 197695918 can't identify protocol dkim-filt 4170 milter 11u IPv4 196950934 UDP host.uuserver.net:55630->ns12-c.fastdns.net:domain [snip] dkim-filt 4170 milter 115u IPv4 244287792 UDP host.uuserver.net:33798->ns11-c.fastdns.net :domain dkim-filt 4170 milter 116u IPv4 249062116 UDP host.uuserver.net:37422->ns12-c.fastdns.net :domain dkim-filt 4170 milter 118u IPv4 243310449 UDP host.uuserver.net:47646->ns11-c.fastdns.net :domain dkim-filt 4170 milter 119u IPv4 249797037 UDP host.uuserver.net:37148->ns11-c.fastdns.net :domain dkim-filt 4170 milter 120u IPv4 245500070 UDP host.uuserver.net:60271->ns11-c.fastdns.net :domain dkim-filt 4170 milter 121u IPv4 249062118 UDP localhost.localdomain:37423->localhost.loca ldomain:domain dkim-filt 4170 milter 122u IPv4 248146438 UDP host.uuserver.net:32853->ns11-c.fastdns.net :domain dkim-filt 4170 milter 123u IPv4 250699340 TCP localhost.localdomain:9990->localhost.local domain:54032 (ESTABLISHED) |
From: SM <sm...@re...> - 2008-11-22 06:57:16
|
At 21:05 21-11-2008, Jim Hermann - UUN Hostmaster wrote: >What do you make of this? > ># dkim-filter -V >dkim-filter: Sendmail DKIM Filter v2.7.0 > Compiled with OpenSSL 0.9.8i 15 Sep 2008 > Supported signing algorithms: > rsa-sha1 > rsa-sha256 > Supported canonicalization algorithms: > relaxed > simple > Active code options: > POPAUTH > QUERY_CACHE > ># ps -A | grep dkim > 4170 ? 00:06:39 dkim-filter ># lsof -p 4170 | grep -c UDP >77 ># netstat -anp | grep dkim | grep -c udp >77 There was a report of such behavior when using the Solaris resolver. The problem disappeared when libar is enabled. Regards, -sm |
From: Murray S. K. <ms...@se...> - 2008-11-23 09:31:14
|
Please paste the output of: % strings <dkim-filter-path> | fgrep ar.c,v I've looked over the most recent libar source code but can't find any code path that would cause UDP descriptor leakage. I want to make sure I'm looking at the same copy of that file that you're using. |
From: UUN H. <hos...@uu...> - 2008-11-22 14:58:28
|
This version of dkim-milter was compiled with libar enabled. Jim ----- Jim Hermann <hostmaster@UUism.net> UUism Networks Ministering to the Needs of Online UUs Web Hosting, Email Services, Mailing Lists ----- Sent from my Verizon Wireless BlackBerry |
From: SM <sm...@re...> - 2008-11-22 16:08:29
|
At 06:59 22-11-2008, UUN Hostmaster wrote: >This version of dkim-milter was compiled with libar enabled. Enable _FFR_DNS_UPGRADE as well. Regards, -sm |
From: Jim H. - U. H. <hos...@uu...> - 2008-11-23 04:34:07
|
> ------------------------------ > Message: 2 > Date: Fri, 21 Nov 2008 22:34:44 -0800 > From: SM <sm...@re...> > Subject: Re: [dkim-milter-discuss] dkim-filter connections to upstream > nameservers > To: dkim-milter general discussion > <dki...@li...> > Message-ID: <6.2...@re...> > Content-Type: text/plain; charset="us-ascii"; format=flowed > > There was a report of such behavior when using the Solaris > resolver. The problem disappeared when libar is enabled. Here is the site.config.m4 file that I used for compiling dkim-filter # egrep -v "^dnl|^$" site.config.m4 define(`bld_USE_ARLIB', `true') APPENDDEF(`conf_dkim_filter_ENVDEF', `-DPOPAUTH ') APPENDDEF(`confENVDEF', `-DQUERY_CACHE ') APPENDDEF(`confINCDIRS', `-I/usr/local/include ') APPENDDEF(`confLIBDIRS', `-L/usr/local/lib ') APPENDDEF(`bld_dkim_filter_INCDIRS', `-I/usr/include') APPENDDEF(`bld_dkim_filter_LIBDIRS', `-L/usr/lib') Here is my sendmail.cf values: Xdkim-filter, S=inet:XXXX@localhost, T=S:1m;R:1m Thanks. Jim |
From: SM <sm...@re...> - 2008-11-23 08:52:56
|
At 20:33 22-11-2008, Jim Hermann - UUN Hostmaster wrote: >Here is the site.config.m4 file that I used for compiling dkim-filter > ># egrep -v "^dnl|^$" site.config.m4 >define(`bld_USE_ARLIB', `true') >APPENDDEF(`conf_dkim_filter_ENVDEF', `-DPOPAUTH ') >APPENDDEF(`confENVDEF', `-DQUERY_CACHE ') >APPENDDEF(`confINCDIRS', `-I/usr/local/include ') >APPENDDEF(`confLIBDIRS', `-L/usr/local/lib ') >APPENDDEF(`bld_dkim_filter_INCDIRS', `-I/usr/include') >APPENDDEF(`bld_dkim_filter_LIBDIRS', `-L/usr/lib') Add APPENDDEF(`confENVDEF', `-D_FFR_DNS_UPGRADE ') Regards, -sm |
From: Murray S. K. <ms...@se...> - 2008-11-19 07:26:45
|
On Sun, 16 Nov 2008, Jim Hermann - UUN Hostmaster wrote: > I was not using the asynchronous (ARLIB) resolver, so I compiled > dkim-filter version 2.7.0 with define(`bld_USE_ARLIB', `True'). In that case any leftover descriptors prior to your rebuild are in use by (and perhaps leaked by) your system's resolver library. > After a week with the new dkim-filter, there are 25 netstat udp entries > for my Upstream Nameserver #1 and 5 entires for the local nameserver, > all for dkim-filter. I've been running dkim-milter 2.8.0.Beta2 for eight days now and it has one TCP port open on which it is listening and two UDP ports open which aren't associated with anything in particular. The former is for accepting connections from the MTA; the latter are presumably for DNS work. If you have "lsof" installed, using it on your dkim-filter process would be really helpful in corroborating what "netstat" is claiming. I would trust the output of "lsof" before that of "netstat" in terms of tracking down a possible problem. > DKIM does not release the tcp ports either. It has 6 tcp ports open to > port XXXX on the local machine. That would be the MTA connecting to dkim-filter. There's one of those for every connection your MTA has open. That's normal. The connections go away when the SMTP client disconnects from the MTA. Try it yourself; telnet to your own port 25 and you should see one more TCP connection appear between the MTA and the filter; disconnect, and it should go away. |