From: "Peter Moylan" <ecs-isp@2rosenthals.com>
Received: from [192.168.100.201] (HELO mail.2rosenthals.com)
  by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10)
  with ESMTPS id 9681557 for ecs-isp@2rosenthals.com; Sun, 19 May 2024 19:20:51 -0400
Received: from secmgr-va.randr ([192.168.200.201]:52213 helo=mail2.2rosenthals.com)
	by mail.2rosenthals.com with esmtp (Exim 4.96)
	(envelope-from <peter@pmoylan.org>)
	id 1s8ppY-0007Tt-2g
	for ecs-isp@2rosenthals.com;
	Sun, 19 May 2024 19:20:42 -0400
Received: from pmoylan.org ([144.6.37.71]:52956 helo=mail.pmoylan.org)
	by mail2.2rosenthals.com with esmtp (Exim 4.96)
	(envelope-from <peter@pmoylan.org>)
	id 1s8ppL-0008Dm-0q
	for ecs-isp@2rosenthals.com;
	Sun, 19 May 2024 19:20:29 -0400
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_ENDS_IN_URL 0.000000,
	BODY_SIZE_1300_1399 0.000000, BODY_SIZE_2000_LESS 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	CTE_7BIT 0.000000, DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000,
	HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000,
	KNOWN_MSGID 0.000000, LEGITIMATE_SIGNS 0.000000, MSG_THREAD 0.000000,
	NO_URI_HTTPS 0.000000, REFERENCES 0.000000, SENDER_NO_AUTH 0.000000,
	SINGLE_URI_IN_BODY 0.000000, SUSP_DH_NEG 0.000000, __ANY_URI 0.000000,
	__BODY_NO_MAILTO 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000,
	__BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000,
	__CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DKIM_ALIGNS_1 0.000000,
	__DKIM_ALIGNS_2 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
	__DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_BADTHINGS 0.000000,
	__FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000,
	__HAS_REFERENCES 0.000000, __HEADER_ORDER_FROM 0.000000,
	__IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000,
	__MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
	__MIME_VERSION 0.000000, __MOZILLA_MSGID 0.000000,
	__MOZILLA_USER_AGENT 0.000000, __MULTIPLE_RCPTS_TO_X2 0.000000,
	__NO_HTML_TAG_RAW 0.000000, __PHISH_SPEAR_SUBJECT 0.000000,
	__PHISH_SPEAR_SUBJ_ALERT 0.000000, __PHISH_SPEAR_SUBJ_PREDICATE 0.000000,
	__RCPT_DOMAIN_NOT_TO 0.000000, __RCVD_FROM_DOMAIN 0.000000,
	__REFERENCES 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000,
	__SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000,
	__SCAN_D_NEG_HEUR2 0.000000, __SINGLE_URI_TEXT 0.000000,
	__SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000,
	__SUBJ_REPLY 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000,
	__TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000,
	__URI_IN_BODY 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000,
	__URI_NO_PATH 0.000000, __URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000,
	__USER_AGENT 0.000000
X-SASI-Probability: 7%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.5.19.225420
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_ENDS_IN_URL 0.000000,
	BODY_SIZE_1300_1399 0.000000, BODY_SIZE_2000_LESS 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	CTE_7BIT 0.000000, DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000,
	HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000,
	KNOWN_MSGID 0.000000, LEGITIMATE_SIGNS 0.000000, MSG_THREAD 0.000000,
	NO_URI_HTTPS 0.000000, REFERENCES 0.000000, SENDER_NO_AUTH 0.000000,
	SINGLE_URI_IN_BODY 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000,
	__ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
	__BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000,
	__CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTE 0.000000,
	__CT_TEXT_PLAIN 0.000000, __DKIM_ALIGNS_1 0.000000, __DKIM_ALIGNS_2 0.000000,
	__DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000,
	__FORWARDED_MSG 0.000000, __FRAUD_BADTHINGS 0.000000, __FUR_HEADER 0.000000,
	__HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000,
	__HEADER_ORDER_FROM 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000,
	__MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000,
	__MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000,
	__MOZILLA_MSGID 0.000000, __MOZILLA_USER_AGENT 0.000000,
	__MULTIPLE_RCPTS_TO_X2 0.000000, __NO_HTML_TAG_RAW 0.000000,
	__PHISH_SPEAR_SUBJECT 0.000000, __PHISH_SPEAR_SUBJ_ALERT 0.000000,
	__PHISH_SPEAR_SUBJ_PREDICATE 0.000000, __RCVD_FROM_DOMAIN 0.000000,
	__REFERENCES 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000,
	__SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000,
	__SCAN_D_NEG_HEUR2 0.000000, __SINGLE_URI_TEXT 0.000000,
	__SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000,
	__SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000,
	__TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000,
	__TO_REAL_NAMES 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000,
	__URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NS 0.000000,
	__URI_WITHOUT_PATH 0.000000, __USER_AGENT 0.000000
X-SASI-Probability: 9%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.5.19.225420
DKIM-Signature: v=1; q=dns/txt; a=rsa-sha256; c=relaxed/relaxed; s=default;
 d=pmoylan.org;
 bh=9tflqxMso3Nkq1FvLt9Do2CdeFe72F5H8p3qb2/sLuk=;
 h=From:To:Date:Message-ID;
 b=Xv/wOprQ5DJrHbLV5nX/CAkqncTx6q6ACZYwX/OPapHC2oR69xPONwUWyNyVU+NCfILXG
 z371rTHbnImdOLcUbD9AMYaT44y0ThOfOgbZoSUqvMGvlkeXEhbixaymc8wfuAg46p99cof
 DMxyxW5iJcxBzkgTvPXnRnfUSWoEYSk=
Received: from [192.168.20.3] (peter.pmoylan.org [192.168.20.3]) by 
 mail.pmoylan.org (Weasel v2.9); Mon, 20 May 2024 09:20:17 +1000
Subject: Re: [eCS-ISP] Bind 9.11.37 issue - ticket #784 - update
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>,
 Weasel Mailing List <weasel-list@os2voice.org>
References: <list-9676907@2rosenthals.com>
Message-ID: <664A8931.5070201@pmoylan.org>
Date: Mon, 20 May 2024 09:20:17 +1000
User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101
 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <list-9676907@2rosenthals.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

On 17/05/24 15:04, Steven Levine wrote:
> In <list-9676816@2rosenthals.com>, on 05/17/24 at 10:02 AM, "Peter
> Moylan" <ecs-isp@2rosenthals.com> said:
>
> Hi Peter,
>
>> I just used a text editor to modify inetcfg.ini. (It's a plain
>> text file, not an INI file.) Is there anything wrong with doing it
>> that way?
>
> Editing by hand is OK, as long as you don't make a typo.  The file
> format is typical unix style tab separated fields.
>
> You will need to
>
> inetcfg -s all
>
> to activate your changes.  When you reboot this is done by code in
> \tcpip\bin\b4tcp.cmd.

Thanks. I did that last command just now. I had intended to wait for the
reboot, but I didn't get a "server hang" until today. (Couldn't fetch
mail, but luckily I could contact VNC server.) When I did a "netstat -s"
I found a large number of sockets in a CLOSE_WAIT condition, mostly on
port 22. Then I looked at SFTPServer (which uses port 22), and saw that
it was stuck in a "too many users" condition.

So the problem was with SFTPServer, not with Weasel and not with bind.
Not too surprising, since I already knew that I was getting lots of
attacks on SFTPServer, obviously people trying to break in to SSH.

When I killed and restarted SFTPServer, the mail started flowing again.

-- 
Peter Moylan                         http://www.pmoylan.org