Greets list, Jim; As I stated before, I am inexperienced about IMAP before I replied to you, and therefore failed to answer your question properly. I've read a little more, since I felt something was wrong about my reply... :(
First off, you must disable IDENTD daemon or service from the firewall, since this service will provide a cracker some simple information about your firewall quite easily. I apologize for communicating this piece of bad info to you. What I meant to say was the identd daemon on the clients computer, which you've have stated you removed, should be installed and running; Second, IMAP does require an "active" TCP connection to the client when the server is accessed, because the client is able to selectively choose the message headers he/she wants from the central file server, and then download what they like. A high port number TCP connection is required for the IMAPS mailserver to work, since IMAP permits the client to "work on the server" which explains your logs and your observation of the IMAP server attempting re-connection after packets from it are dropped. This is explained within the IMAP RFC 2060; The Internet Message Access Protocol, Version 4rev1 (IMAP4rev1) allows a client to access and manipulate electronic mail messages on a server. IMAP4rev1 permits manipulation of remote message folders, called "mailboxes", in a way that is functionally equivalent to local mailboxes. IMAP4rev1 also provides the capability for an offline client to resynchronize with the server (see also [IMAP-DISC]). --- snipped for length --- Therefore, you could attempt to activate identd on a single client for testing purposes, and test to see if this solves your problem. If not, you may left with having to "punch a hole" in the firewall, and create a limited number of monitored ports to permit the server to talk to the clients. It would require you to filter the firewall packets on the firewall protecting your clients, to confirm they are comming from the imap server and permit them to pass, rejecting all others. Jim Bonnet <[EMAIL PROTECTED]> wrote: >Tom- Thanks for the reply. I have specifically disabled identd on my >imap server because many of our users are behind firewalls that don't >pass identd. > >I have also enabled for the heck of it identd on my firewall.. This >didnt change anything. > >It is not a consisstant port, it is like other services, it is picking a >random really high port. > >I'll read thru that info you sent. > >Im not waiting for the ident timeout anymore after turning it off on the > server. What I do see is that when IMAPS tries to do whatever he's >doing making a connection back to me on a blocked port is that the next >time I check a imap mailbox it needs to re-authenticate. > >Thanks alot- >Jim > > > >tom wrote: >> Greets list, Jim; >> >> Jim Bonnet <[EMAIL PROTECTED]> wrote: >> >> >>>Could someone enlighten me on the finer aspects of firewalling. >> >> >> I'll try. Although I'm a comparitive newbie, I think I can expand >> on your question a little, from what little I know. I hope not >> to make any mistakes, but I'm sure we'll hear about it here :) ---tm--- Linux Registration Number; 184093, http://counter.li.org __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
