[Remops] Attn Paranoia: Consistently poor stats for paranoia remailer

Grant Taylor gtaylor at tnetconsulting.net
Sun Oct 11 00:38:31 BST 2020 

+100

On 10/10/20 4:46 PM, SEC3 wrote:
> Hello Paranoia Admin!
> 
> Your paranoia mixmaster remailer is not performing well lately. 
> Its UPTIME stays steady at 93% - 96%. This seems to be the result at 
> all the active pingers. With the exception of your own pinger.
> 
> I see consistently poor performance at your YAMN remailer too.
> 
> It may be related or not. But I am seeing dozens of bounce 
> messages every day at my remailers (remailer at slugish.net and 
> mixmaster at cloaked.pw). See below:

I believe this is very much so related.

In short, email to both of Paranoia's remailers, YAMN and Mixmaster, are 
being rejected by Paranoia's* configured email servers.

As such, at least some of the messages to Paranoia's remailers are being 
thrown away.

> ______________________________
> 
> <mixmaster at remailer.paranoici.org>: host mx1.investici.org[212.103.72.250]
>      said: 554 5.7.1 <mixmaster at remailer.paranoici.org>: Relay access denied (in
>      reply to RCPT TO command)

"Relay access denied" is the crux of the issue.

> [-- Attachment #2: Delivery report --]
> [-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --]
> 
> Reporting-MTA: dns; esnake.cloaked.pw
> X-Postfix-Queue-ID: 6FAD940115
> X-Postfix-Sender: rfc822; mixmaster at cloaked.pw
> Arrival-Date: Thu,  8 Oct 2020 14:51:49 -0400 (EDT)
> 
> Final-Recipient: rfc822; mixmaster at remailer.paranoici.org
> Original-Recipient: rfc822;mixmaster at remailer.paranoici.org
> Action: failed
> Status: 5.7.1
> Remote-MTA: dns; mx1.investici.org

mx1.investici.org is saying ...

> Diagnostic-Code: smtp; 554 5.7.1 <mixmaster at remailer.paranoici.org>: Relay
>      access denied

...that it is not willing to relay email for remailer.paranoici.org.

In other very similar messages it's saying the same thing for 
yamn.paranoici.org.

So, what does mx1.investici.org have to do with 
{remailer,yamn}.paranoici.org?

    % dig +short mx remailer.paranoici.org | sort
    10 remailer.paranoici.org.
    50 mx1.investici.org.
    % dig +short mx yamn.paranoici.org | sort
    10 remailer.paranoici.org.
    50 mx1.investici.org.

mx1.investici.org is configured as a backup MX for 
{remailer,yamn}.paranoici.org.

The root of the problem is that mx1.investici.org is refusing to relay 
email for {remailer,yamn}.paranoici.org.

I don't know if this is a DNS error (stale MX records) or an 
configuration issue on mx1.investici.org.  But either way, it's causing 
email to both Paranoia remailers to be lost.

It looks like there is a transient communications error with the primary 
MX, remailer.paranoici.org, that causes MTAs to fall back to the backup 
MX, mx1.investici.org.

Here are two convenient logs of this on tncmm.

% egrep "(098H9FgD001532|098LDdVa016116)" /var/log/mail.log.1 | fgrep 
sm-mta | fgrep -v Milter | grep "to=<" | nl
      1  Oct  8 12:10:04 tncsrv06 sm-mta[1628]: 098H9FgD001532: 
to=<mixmaster at remailer.paranoici.org>, 
ctladdr=<mixmaster at tnetconsulting.net> (124/134), delay=00:00:46, 
xdelay=00:00:45, mailer=esmtp, pri=148193, relay=remailer.paranoici.org. 
[88.80.28.20], dsn=4.4.2, stat=Deferred: 421 4.4.2 
remailer.paranoici.org Error: timeout exceeded
      2  Oct  8 12:10:05 tncsrv06 sm-mta[1628]: 098H9FgD001532: 
to=<mixmaster at remailer.paranoici.org>, 
ctladdr=<mixmaster at tnetconsulting.net> (124/134), delay=00:00:47, 
xdelay=00:00:46, mailer=esmtp, pri=148193, relay=mx1.investici.org. 
[IPv6:2a00:c38:11e:ffff:0:0:0:a020], dsn=5.7.1, stat=Service unavailable
      3  Oct  8 16:19:08 tncsrv06 sm-mta[16138]: 098LDdVa016116: 
to=<mixmaster at remailer.paranoici.org>, 
ctladdr=<mixmaster at tnetconsulting.net> (124/134), delay=00:05:29, 
xdelay=00:05:28, mailer=esmtp, pri=148193, relay=remailer.paranoici.org. 
[88.80.28.20], dsn=4.4.2, stat=Deferred: 421 4.4.2 
remailer.paranoici.org Error: timeout exceeded
      4  Oct  8 16:19:09 tncsrv06 sm-mta[16138]: 098LDdVa016116: 
to=<mixmaster at remailer.paranoici.org>, 
ctladdr=<mixmaster at tnetconsulting.net> (124/134), delay=00:05:30, 
xdelay=00:05:29, mailer=esmtp, pri=148193, relay=mx1.investici.org. 
[IPv6:2a00:c38:11e:ffff:0:0:0:a020], dsn=5.7.1, stat=Service unavailable

Notice how both times tncmm tried to contact remailer.paranoici.org but 
got an error, timeout exceeded, before falling back to 
mx1.investici.org, which flat refused to accept the message.

This causes standard MTAs to send a bounce message.

This is why some messages from the Paranoia remailers are being lost.

> ______________________________________________
> 
> I hope this is useful information.

I believe this is good information.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mixmin.net/pipermail/remops/attachments/20201010/6cd29b77/attachment.bin>

More information about the Remops mailing list