Connection from [a.b.c.d]… refused: too many connections and Exim

At times your Exim server might be overwhelmed:

2023-11-09 12:04:05 Connection from [188.234.244.30]:3802 refused: too many connections

Your server is most likely under attack.

Check so:

tail -f /var/log/exim_mainlog | grep refused

Temporary fix so:

  1. Go to “Home / Service Configuration / Exim Configuration Manager
  2. Click the Advanced Editor tab
  3. Search for smtp_accept_max
  4. Change the value as needed. Example: 200
  5. Scroll down and click save

When you save restarting Exim can take minutes.

Choose a realistic value when changing this default and consider that your server might still be under attack.

To help with mitigating attacks, consider changing the defaults:

Updating “Log sender rates in the exim mainlog.  This can be helpful for tracking problems and/or spammers.” from “Off” to “On”.
“Log sender rates in the exim mainlog.  This can be helpful for tracking problems and/or spammers.” was updated.
Updating “Sender Verification Callouts” from “Off” to “On”.
“Sender Verification Callouts” was updated.

Try this too:

 

Updating “Maximum message recipients before disconnect (hard limit)” from “” to “20”.
“Maximum message recipients before disconnect (hard limit)” was updated.
Updating “Maximum message recipients (soft limit)” from “” to “10”.
“Maximum message recipients (soft limit)” was updated.
Updating “Allow DKIM verification for incoming messages” from “Off” to “On”.
“Allow DKIM verification for incoming messages” was updated.
Updating “Reject remote mail sent to the server's hostname” from “Off” to “On”.
“Reject remote mail sent to the server's hostname” was updated.

Along the way you’ll get frustrated and struggle. No way to just block PTRs / reverse records.

BlockLists that don’t exist. But this list will be provided.

These suggestions were given by high velocity:

  • Count the number of TCP connections on port 25:
    • netstat -plan | grep ‘:25’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
  • Connection Tracking: Change CT_LIMIT to 500
    • It was disabled. It should block IPs that are causing more than 500 connections
  • Changed cpHulk Brute Force Protection Period to from 15 minutes to 5
  • Maximum Failures by Account from 15 to 5
  • Added to Block IP addresses at the firewall level if they trigger brute force protection
  • Reduced Maximum Failures per IP Address before the IP Address is blocked One Day to 5 from 30
  • Implement rate limiting to restrict number of emails that can be sent per hour
    • Not applicable for remote “unknown users attacks”
  • Set a session timeout for mail to prevent attacks where long delays are used to send data character by character with large mail sizes.
  • Install Fail2ban. Make that co-exist with cPHulk.

Eventually the thing that partially worked was country blocking. The only problem is these countries didn’t not have country information in CSF. Also read the notes about Maxmind and the alternatives:

  • Azerbaijan (AZ)
  • Iran (IR)
  • Kazakhstan (KZ)
  • Kyrgyzstan (KG)
  • Pakistan (PK)
  • Russia (RU)
  • SK
  • Thailand (TH)
  • TY
  • Uzbekistan (UZ)

CC_DENY = “AZ,IR,KZ,KG,PK,RU,SK,TH,TY,UZ”

See also

Denial of Service PORTFLOOD settings:

https://forum.configserver.com/viewtopic.php?t=6829

 

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top