I belive it's not good to just drop the auth (ident) requests -- IIRC it makes mail clients delay.
So the question is how should they be rejected? reject-with icmp-port-unreachable or reject-with tcp-reset Of course, I don't have any good reasons not to just allow the auth requests. Most will be for mail that's generated from behind a NAT and sent to the NAT/Firewall machine which runs exim as a smarthost, so the connections will belong to whatever exim is running as. I never thought about this, but do auth requests to ports that are forwarded by a NAT machine get forwarded? I suspect not. BTW -- is there a utility to manually send an auth request? That would help with testing the rules. Thanks, -- Bill Moseley [EMAIL PROTECTED]
