On Sat, Dec 06, 2014 at 04:48:31PM -0500, Wietse Venema wrote:

> Looks like some proxy is plugged in the wrong way (waiting for the
> client to speak first). With SMTP the server speaks first.
> 
> Given zero details on Postfix configuration, I won't waste time
> with random guesses.

Much as I love getting shot down by Prof. Venema, even more delightful is
his making a random guess that's wrong, then disowning random guesses.

Postfix configuration shouldn't logically be an issue here. There are two
outside lines, each coming into routers provided by the ISPs. Both connect
to the same Linux firewall. That firewall NATs port 25 on the firewall for
one IP on each line to the same Postfix mail server. I had already described
the situation as such. 

There is no proxy in this circuit. Would have mentioned it if there was.
There is no SYN flood protection within the circuits we control. The traffic
coming in on the one line is handled perfectly. The traffic coming in on the
other line has this SMTP-negotiation-killing timeout, although on telnet
sending an extra CR gets the 220 line just fine. If it were anything to do
with Postfix's own configuration, or our firewall's configuration, it should
affect both incoming lines equally. It's exactly the same Postfix server
having 0% trouble on the one line, 100% trouble with incoming traffic on the
other - not two Postfix servers configured the same, but the same physical
server.

SYN flood protection in the one ISP's on-premise router - or upstream - may
be possible. We have no access to the configuration of their routers. The
line with the problem is a commercial line from Megapath, in the middle of a
business district in Manhattan, not some residential circuit you'd expect
them to play games with. It would be good to be able to tell Megapath what
they need to fix, unless there's some tweak to work around what they're
breaking.

Given that it's not the well-known TCP window scaling problem, and that it
is a problem specific to just the one ISP's routers, what is the list of how
they can have those configured wrong? SYN flood protection? Anything else? I
have Postfix servers on other ISPs too, all configured similarly, none of
the others having this problem. It's most certainly a Megapath problem. To
get them to fix whatever it is, I expect I need to identify it precisely.

Best,

Whit

Reply via email to