On Sat, Dec 06, 2014 at 04:48:31PM -0500, Wietse Venema wrote: > Looks like some proxy is plugged in the wrong way (waiting for the > client to speak first). With SMTP the server speaks first. > > Given zero details on Postfix configuration, I won't waste time > with random guesses.
Much as I love getting shot down by Prof. Venema, even more delightful is his making a random guess that's wrong, then disowning random guesses. Postfix configuration shouldn't logically be an issue here. There are two outside lines, each coming into routers provided by the ISPs. Both connect to the same Linux firewall. That firewall NATs port 25 on the firewall for one IP on each line to the same Postfix mail server. I had already described the situation as such. There is no proxy in this circuit. Would have mentioned it if there was. There is no SYN flood protection within the circuits we control. The traffic coming in on the one line is handled perfectly. The traffic coming in on the other line has this SMTP-negotiation-killing timeout, although on telnet sending an extra CR gets the 220 line just fine. If it were anything to do with Postfix's own configuration, or our firewall's configuration, it should affect both incoming lines equally. It's exactly the same Postfix server having 0% trouble on the one line, 100% trouble with incoming traffic on the other - not two Postfix servers configured the same, but the same physical server. SYN flood protection in the one ISP's on-premise router - or upstream - may be possible. We have no access to the configuration of their routers. The line with the problem is a commercial line from Megapath, in the middle of a business district in Manhattan, not some residential circuit you'd expect them to play games with. It would be good to be able to tell Megapath what they need to fix, unless there's some tweak to work around what they're breaking. Given that it's not the well-known TCP window scaling problem, and that it is a problem specific to just the one ISP's routers, what is the list of how they can have those configured wrong? SYN flood protection? Anything else? I have Postfix servers on other ISPs too, all configured similarly, none of the others having this problem. It's most certainly a Megapath problem. To get them to fix whatever it is, I expect I need to identify it precisely. Best, Whit
