GWIA runs a few seconds, stops

[wfooshee]

Customer has an ancient GroupWise 6.0.1 setup, so I don't know how much help to expect. They actually only have two addresses in use for public email, all other GW activity is strictly in-office, and only 6 users at that.

When the GWIA starts, it lists 30 or 40 messages as "recipient unknown" and seems to stop listening. The recipients listed are indeed unknown, they are completely ficticious, names like herbalistvj68, hogsheads74, sedimentaryk2, personifying0, as examples. These names are shown with @xxxxx.com where the xxxxx is our correct domain, and they repeat over and over, so they are being sent here for some reason. I cannot tell where they're coming from, no incoming connections are being logged.

For troubleshooting I redirected SMTP to a Windows machine and captured SMTP traffic at that machine, and even though no mail server was running I could see incoming traffic, and there is no single address or group that stands out as a source, although there are numerous addresses that resolve overseas, China, Japan, etc.

I then put the router back to the GWIA server, then ran mxtoolbox.com's diagnostics. That passes easily, if it's run within the first 30 seconds or so of starting GWIA. After that it cannot contact my server.

I've tried turning on mailbomb protection, and enabling "reject mail if sender's identity cannot be verified." Neither setting made a difference, although mxtoolbox did see the identity verification.

I'm not seeing relay attempts ("will not relay" messages in the log) except the relay test from mstoolbox. This doesn't look like a spammer trying to use my server, it looks like a deliberate DOS against my server, but I can't see from where.

Customer has a very poor security infrastructure, a plain NAT router as the Internet gateway, and I'm about ready to tell the customer to abandon Groupwise for incoming mail since they only use the two boxes anyway. Get some POP3 accounts and be done with it.

Still, I thought I'd ask and see if anybody sees something obvious to try that I didn't think of.

 

[goombawaho]

I would shut down the MTA and the GWIA and then rename the following directories.

\domain\wpgate\gwia\wpcsout & wpcsin and also the gwia\send & receive. Also MOVE any files in the gwia\defer folder to another location to take deferred messages out of the picture

Then restart the MTA followed by the GWIA.

 

[wfooshee]

Tried already, no change.

 

[goombawaho]

Then, I would just wipe all the folders at GWIA and below and do a reinstall of the GWIA. Then install the latest SP and other patches.

All the important settings are in ConsoleOne. But you can keep a copy of the deleted GWIA folder somewhere for safe keeping.

 

[marvhuffaker]

Getting rid of GroupWise will not fix your Spam problem. That's because you ahve a spam problem that would exist with any mail system. You need an anti-spam appliance in front of your GWIA to filter out the spam.

The random names are basically BOTS that are probably trying to force feed thousands of messages to your gwia throughout the day. The idea is that one or two will be valid and get through. That's just life, everybody deals with it, but most people don't see it on their GWIA cause their spam appliance gets it first.

That said, goombawaho is most likely right in implying that you have LOTS of messages queued up in your GWIA that are not being delivered, and for whatever reason, these are probably causing your system to hang.. more like a DoS but not to the same extent as what you'd normally classify as a DoS..

Clearing out those folders should eliminate any messages that are STUCK, but won't help any that are still being sent to you.

You already said the customer has a poor security infrastructure. Discuss with customer, they need to put some money into it. Get an Astaro appliance or something. or M+ Guardian. Or Barracuda. It doesn't matter. having something will solve most of these problems. Just like ALL email systems, GroupWise is an email system, not an anti-spam system.

Marvin

Marvin Huffaker, MCNE
Marvin Huffaker Consulting, Inc.
A Novell Platinum Partner

http://www.redjuju.com

 

[wfooshee]

Exactly what I'm already thinking. I renamed the existing folders and started GWIA back up, the traffic was immediate. These things aren't sitting on the server waiting to be delivered (unless the queue folders are not where they should be!), they're arriving now. During the first minute or so the server responds to incoming requests (I can send messages from my office) but before too long it stops answering.

User is not interested in spending money to protect 2 occasional users, especially when those 2 both also have commercial POP3 accounts. I've recommended he abandon GroupWise for Internet mail. As I said before, the Post Office works fine for in-office mail.