On Sat, Sep 13, 2003 at 12:32:55PM -0400, yo _ wrote:

> I manage a general mail server for my organization and recently i have been 
> receiving complaints that not all their messages are being sent. A quick 
> check to the maillog and i noticed that many of the mail servers of the 
> receivers are getting "Operation timed out" responses. I manually checked 
> connecting to these servers using telnet to see if it was just my mta, but 
> to my surprise telnet was unable to connect as well!
> At home i tried connecting to these servers via telnet on port 25 as well, 
> and it worked with ease. Then immediatly I ssh'ed to our remote mail server 
> and telnet'ed to these "operation timed out" mail servers on port 25 and 
> still same thing. Now this shocked me, how could i be easily connecting to 
> the mail servers from home, and from the location of our mail server, not 
> be able to. It connects to other mail servers there are just a few that do 
> not work including:
> smtp1.dadeschools.net
> mail1.dadeschools.net
> oitmail.dade.k12.fl.us
> sbabmail.dade.k12.fl.us
> 7841exch2.tecmiami.com
> It's not a DNS problem as the dns resolves the same ip address from home 
> and where the server resides. I'm not sure if it is solely our mail server 
> or it is all the computers on our LAN that are unable to connect, i willl 
> have to examine this when i get there sometime this week. The mail server 
> is connected directly to the internet and is assigned a public ip address 
> (it is not behind a router filewall or is not forwarded packets through 
> NAT). The host address of our mail server is mail.e-equality.org.
> Does anyone know the nature of this problem or how to solve it? Could it be 
> faulty design of the network route from our mail server to theirs? Or maybe 
> our TTL settings on the packets are too small.

This could be a problem due to timeouts with the ident protocol, also
known as auth, which uses port 113.  Most mailservers will try and do
an ident check on you when you connect to them.  If your firewall just
drops the incoming connection, then the server at the other end will
just have to wait out the timeout period.  While ident is meant to be
a security measure, it's practically worthless as it's too easy to lie
to, and if you don't lie, then it's a leak of what should be private

To prevent your sendmail server making ident requests, include:

    define(`confTO_IDENT', `0')dnl

in your /etc/mail/`hostname`.mc file.

If you aren't going to run an ident server, then you should reject
ident protocol packets at your firewall.  With ipfw(8), that's
something like:

    add 1234 reset tcp from any to ${oip} 113 setup in recv ${oif}

Nb. 'reset' which will return an ICMP port unreachable message, rather
than just dropping the packet.

If you do decide to run an ident server, then you should add
'inetd_enable="YES"' to /etc/rc.conf and edit /etc/inetd.conf to
enable one of the auth variants -- there's not much reason to run
anything other than the ident server built into inetd.  If you're
behind a NAT gateway, then you can run the ident server on the NAT
gateway, but you'll have to run one of the variants that refuses to
return any information.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to