Re: [CentOS] Sendmail and pmtu discovery
Sean Carolan wrote: We have an issue with some customers who refuse to accept ICMP traffic to their mail servers. It seems that they have put Mordac, preventer of information services in charge of their firewall policy (http://en.wikipedia.org/wiki/List_of_minor_characters_in_Dilbert#Mordac). BUT ICMP IS BAD!¡ My mail logs are showing that customers who specifically disallow ICMP traffic have many Connection Reset entries in our logs: Oct 14 08:00:50 mailsrv sendmail[2024]: m9ED0Yf5002021: to=[EMAIL PROTECTED], delay=00:00:16, xdelay=00:00:16, mailer=esmtp, pri=42476, relay=mail.customer.org. [XX.XX.XX.XX], dsn=4.0.0, stat=Deferred: Connection reset by mail.customer.org. I have disabled pmtu discovery on our routers as well as on all our outbound mail servers. Is there anything else I can do on our side to help the situation? So you basically broke your internet connection because of stupid customers? No, there isn't anything you can do on your side - especially if you don't know how large their MTU is set (which you cannot discover, as they forbid you to do so). So you can only hope that you get exactly the same MTU as they have (and that there is nothing inbetween which has a lower MTU). It is their problem. If they don't want to play by the rules, they should have to sit out the problems they themselves created. Ralph pgpSz7jRJdeuz.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
On Tue, October 14, 2008 09:31, Kai Schaetzl wrote: Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500: My mail logs are showing that customers who specifically disallow ICMP traffic have many Connection Reset entries in our logs: Could somebody explain why ICMP might play a role in mail delivery? ICMP is involved in IP routing, including MTU discovery, announcing failed connections, and so forth. Email is delivered over IP. QED. -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
On 2008-10-14 16:31, Kai Schaetzl wrote: Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500: My mail logs are showing that customers who specifically disallow ICMP traffic have many Connection Reset entries in our logs: Could somebody explain why ICMP might play a role in mail delivery? Any host may reply to a IP-datagram (tcp included) with e.g. ICMP type 3, code 4 datagram too large and indicating the maximum size in the ICMP reply. Disallowing these ICMP packets can result in a TCP handshake that succeeds, but hangs when the next packets with real data are blocked. http://en.wikipedia.org/wiki/PMTUD -- Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... Are you sure? ... YES ... Phew ... I'm out * *** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
Ralph Angenendt wrote on Tue, 14 Oct 2008 17:24:08 +0200: If you don't know the smallest MTU on the path to the mail server, you might not be able to send packets over that path, especially if DF is set. But if it's not set? Shouldn't most devices have it not set? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
Kai Schaetzl wrote: Ralph Angenendt wrote on Tue, 14 Oct 2008 17:24:08 +0200: If you don't know the smallest MTU on the path to the mail server, you might not be able to send packets over that path, especially if DF is set. But if it's not set? Shouldn't most devices have it not set? Routers should fragment as needed and the receiving stack will reassemble. Windows tends to set DF on a lot of packets unnecessarily. -- Les Mikesell [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
Kai Schaetzl wrote: Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500: My mail logs are showing that customers who specifically disallow ICMP traffic have many Connection Reset entries in our logs: Could somebody explain why ICMP might play a role in mail delivery? It doesn't really. If the OP had PMTU discovery turned on it would affect most all communications not just email. I can't ever remember having it on for external networks, there's never been a need in my case. It's just likely that the only communications between the OP's systems and the other side was email. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
On Tue, October 14, 2008 12:31, Kai Schaetzl wrote: Ralph Angenendt wrote on Tue, 14 Oct 2008 17:24:08 +0200: If you don't know the smallest MTU on the path to the mail server, you might not be able to send packets over that path, especially if DF is set. But if it's not set? Shouldn't most devices have it not set? Yes, most devices should fragment if necessary (DF not set). Most devices should also pass/accept ICMP messages relating to their connections. Deliberately configuring them not to is asking for trouble; those messages are part of the protocol for a reason. (Fragmentation introduces more work and effectively many more lost packets in most setups, so the flow will be jumpy and less efficient even if it mostly works.) -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
Kai Schaetzl wrote: Ralph Angenendt wrote on Tue, 14 Oct 2008 17:24:08 +0200: If you don't know the smallest MTU on the path to the mail server, you might not be able to send packets over that path, especially if DF is set. But if it's not set? Shouldn't most devices have it not set? Fragmentation is bad. That's why you do PMTUD - to see which is the lowest MTU in the path. You then set your packet sizes accordingly and set the DF bit. If the lowest MTU in the path changes to an even lower one you get an error and can continue with smaller packet sizes. If you disallow PMTUD - well, you're asking for trouble :) http://www.znep.com/~marcs/mtu/ has a rather good discussion about that. Ralph pgpwzGQOhGZ4d.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500: My mail logs are showing that customers who specifically disallow ICMP traffic have many Connection Reset entries in our logs: Could somebody explain why ICMP might play a role in mail delivery? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
Sean Carolan a écrit : We have an issue with some customers who refuse to accept ICMP traffic to their mail servers. It seems that they have put Mordac, preventer of information services in charge of their firewall policy (http://en.wikipedia.org/wiki/List_of_minor_characters_in_Dilbert#Mordac). My mail logs are showing that customers who specifically disallow ICMP traffic have many Connection Reset entries in our logs: Oct 14 08:00:50 mailsrv sendmail[2024]: m9ED0Yf5002021: to=[EMAIL PROTECTED], delay=00:00:16, xdelay=00:00:16, mailer=esmtp, pri=42476, relay=mail.customer.org. [XX.XX.XX.XX], dsn=4.0.0, stat=Deferred: Connection reset by mail.customer.org. I have disabled pmtu discovery on our routers as well as on all our outbound mail servers. Is there anything else I can do on our side to help the situation? Consider setting a small MTU (or MSS, ) for the borked networks instead of changing your setup globally. something like ip route add 192.0.2.0/24 via 10.0.0.1 mtu 1000 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
Kai Schaetzl wrote: Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500: My mail logs are showing that customers who specifically disallow ICMP traffic have many Connection Reset entries in our logs: Could somebody explain why ICMP might play a role in mail delivery? If you don't know the smallest MTU on the path to the mail server, you might not be able to send packets over that path, especially if DF is set. Ralph pgpsLfanbEq6J.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail and pmtu discovery
Kai Schaetzl a écrit : Ralph Angenendt wrote on Tue, 14 Oct 2008 17:24:08 +0200: If you don't know the smallest MTU on the path to the mail server, you might not be able to send packets over that path, especially if DF is set. But if it's not set? Shouldn't most devices have it not set? It's not per device. It's a method to improve performances. http://www.znep.com/~marcs/mtu/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos