Make sure you're rejecting (as in sending a RST) incoming ident (TCP 113)
not silently discarding it?
A very common scenario for outbound mail is that the server you're
connecting to sends an ident query, and waits for a reply. Often, if the
firewall silently discards the query (or even sends an ICMP error which is
filtered en route) the mail server waits for the response so long that your
mail server flags it as a timeout.
This problem is the equivalent of "Q: My toaster won't toast. A: Is it
plugged in?". Your toaster may well be plugged in, but it's the first thing
to check. ;)
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Roy Rapoport [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 15, 2001 9:30 AM
> To: '[EMAIL PROTECTED] '
> Subject: PiX and Mail
>
>
>
> About a week ago, we migrated a big chunk of network from an outdated
> configuration where the mail system was protected by a 3620
> with NAT and no
> port-blocking to a PiX 520 running 5.3.[...]
> Mail transmission errors (the ones that get flagged
> with 'timeout
> waiting for input from <X>') increased in frequency
> DRAMATICALLY.[...]
> Does this strike bell? Does anyone have any suggestions for
> me to try to
> debug this?
>
> Thanks,
> -roy
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
