The issue is not the specific MTU value, but rather blocking of the ICMP messages that signal the need to reduce the MTU.
That thought occurred to me, too. So, I tried these statements at the top of my ruleset, and that didn't make any difference:
pass in quick on tun0 proto icmp from any to any pass out quick on tun0 proto icmp from any to any
My next thought was that perhaps the ICMP message announcing a MUST FRAGMENT segment was being blocked upstream. But, if that was the case, then the messages shouldn't have gone through when I dropped ipfilter, either since the upstream network conditions wouldn't have changed.
If you want to lower the MTU, reduce it on the Postfix server, not the firewall (that merely compounds the problem). It is also possible that
In this case, the firewall and the postfix server are one and the same.
For those interested in the ruleset I use:
tun0 - DSL tunnel xl0 and dc0 - internal interfaces
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ipf.conf -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
block in quick all with short block in quick all with ipopts block return-rst in quick proto tcp from any to 0/32 port = 113 flags S/SA
pass in quick on tun0 proto icmp from any to any pass out quick on tun0 proto icmp from any to any
pass in quick on tun0 proto tcp from any to any port = 17325 flags S/SA keep state keep frags
pass in quick on tun0 proto udp from any to any port = 22717
pass out quick on tun0 proto udp from any port = 22717 to any
block out on tun0 all head 16 block out quick on tun0 proto tcp from any to any port = 137 group 16 block out quick on tun0 proto tcp from any to any port = 138 group 16 block out quick on tun0 proto tcp from any to any port = 139 group 16 block out quick on tun0 proto udp from any to any port = 137 group 16 block out quick on tun0 proto udp from any to any port = 138 group 16 block out quick on tun0 proto udp from any to any port = 139 group 16 block out quick on tun0 proto tcp from any to any port = 201 group 16 block out quick on tun0 proto tcp from any to any port = 202 group 16 block out quick on tun0 proto tcp from any to any port = 204 group 16 block out quick on tun0 proto tcp from any to any port = 206 group 16 block out quick on tun0 proto udp from any to any port = 201 group 16 block out quick on tun0 proto udp from any to any port = 202 group 16 block out quick on tun0 proto udp from any to any port = 204 group 16 block out quick on tun0 proto udp from any to any port = 206 group 16 block in log on tun0
block in quick on tun0 proto tcp/udp from any to any port = 137 block in quick on tun0 proto tcp/udp from any to any port = 138 block in quick on tun0 proto tcp/udp from any to any port = 139
pass out quick on tun0 proto icmp from 0/32 to any keep state keep frags pass out on tun0 proto tcp/udp from any to any keep state keep frags
pass in quick on xl0 proto tcp/udp from xxx.xxx.xxx.0/24 to any keep state keep frags
pass in quick on xl0 proto icmp from xxx.xxx.xxx.0/24 to any keep state keep frags
block out on xl0 all head 55
pass out quick on xl0 proto tcp/udp from xxx.xxx.xxx.1/32 to xxx.xxx.xxx.0/24 keep state group 55
pass out quick on xl0 proto icmp from xxx.xxx.xxx.1/32 to xxx.xxx.xxx.0/24 keep state group 55
pass in quick on dc0 proto tcp from any to yyy.yyy.yyy.1/32 port = 1776 flags S/SA keep state keep frags
block in on dc0 all head 117
pass in quick on dc0 proto udp from any port = 68 to any port = 67 group 117
pass in quick on dc0 proto udp from any port = 500 to any port = 500 group 117
pass in quick on dc0 proto esp from any to any group 117
pass in quick on dc0 proto udp from yyy.yyy.yyy.2/32 to yyy.yyy.yyy.1/32 port = 53 group 117
block in log on dc0
block out on dc0 all head 118
pass out quick on dc0 proto udp from any port = 67 to any port = 68 group 118
pass out quick on dc0 proto udp from any port = 500 to any port = 500 group 118
pass out quick on dc0 proto esp from any to any group 118
pass out quick on dc0 proto udp from yyy.yyy.yyy.1/32 port = 53 to yyy.yyy.yyy.2/32 group 118
pass out quick on dc0 proto tcp/udp from yyy.yyy.yyy.1/32 to any keep state keep frags
pass out quick on dc0 proto icmp from yyy.yyy.yyy.1/32 to any keep state keep frags
block out log on dc0
pass in quick on lo0 pass out quick on lo0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ipnat.conf -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= rdr xl0 from 0.0.0.0/0 to xxx.xxx.xxx.1/32 port = 80 -> 127.0.0.1 port 80 rdr xl0 0.0.0.0/0 port 80 -> xxx.xxx.xxx.1 port 3128 map dc0 xxx.xxx.xxx.0/24 -> yyy.yyy.yyy.1/32 map tun0 xxx.xxx.xxx.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 0/0 -> 0/32 proxy port ftp ftp/tcp map tun0 xxx.xxx.xxx.0/24 -> 0/32 portmap tcp/udp 10000:20000 map tun0 xxx.xxx.xxx.0/24 -> 0/32 map tun0 yyy.yyy.yyy.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 yyy.yyy.yyy.0/24 -> 0/32 portmap tcp/udp 10000:20000 map tun0 yyy.yyy.yyy.0/24 -> 0/32
