On Fri, 17 Sep 1999, Greg Owen wrote:
> But the Xerox servers aren't accepting a connection. The apparent
> accepted connection is a side effect of the Raptor proxy firewall. If that
> firewall wasn't in the way, they'd just refuse connection and qmail would
> back off to the next MX immediately.
What is an "apparent accepted connection?" The connection is accepted
when the TCP handshake completes -- what has not happened is an SMTP
session. The Raptor is then slamming the door post-connection, in the
same manner as a TCP wrapper might. The correct behavior would be to
return a RST rather than do the handshake at all. That the Raptor is
accepting the connect for the MX's IP address is no excuse -- indeed, it's
the problem.
I have verified that Gauntlet does not show this behavior. It's a Raptor
thing (and possibly one of other proxy firewalls that launch each proxy on
all interfaces as if using inetd). Moreover, it could be looked at as a
misconfigured Raptor thing, since Raptor has IP-level packet filters that
could easily be used to drop the inbound packets before they reach the
Raptor's listening application on the "wrong" interface, or (perhaps - I
don't know how fancy that filtering is) RST on the attempted connect.
The Raptor tech we talked with said one has to use the filters to prevent
listening ports from being reached on untrusted interfaces.
> > Tell them to fix their SMTP servers, don't work around their
> > breakage.
>
> If anyone is broken here, its my firewall, not their mail setup. No
> one here LIKES their mail setup, but that doesn't make it broken; it
> conforms with all relevant RFCs that I'm aware of.
Now, THAT I will agree with, mostly. What is broken is the aggregate
setup - one side or the other should be adjusted. If you want an
unreachable MX, then the firewall should not act like a broken mail
server. OTOH, as is often done with Gauntlet, you can have the firewall
accept, proxy the mail service, accept as if it were the primary MX and
then move it along to the real primary.
-M
Michael Brian Scher (MS683/MS3213) Anthropologist, Attorney, Policy Analyst
Mainlining Internet Connectivity for Fun and Profit
[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Give me a compiler and a box to run it, and I can move the mail.
