On Mon, Mar 06, 2000 at 04:41:44AM +0100,
Markus Stumpf <[EMAIL PROTECTED]> wrote:
> On Sun, Mar 05, 2000 at 10:17:22PM -0500, andy huhn wrote:
> > What is the difference between ident-lookups and DNS? And why would
> > either one affect incoming mail?
>
> Ident lookups try to gather information about the userid at the other
> end of an TCP connection using the (unreliable information of) ident protocol.
>
> If the ident port is e.g. filtered by a firewall and this firewall is
> set up incorrectly (as most are) and just drops the packets without
> sending proper ICMP response messages you'll have to wait till the
> connection times out (usually 60 seconds with tcpserver).
> Thus SMTP connection to your SMTP-server will be delayed.
Even if you send back icmp host reachable packets instead of just ignoring
the packets, there can still be delays. I noticed this with our local
Tru64 Unix boxes which treat host unreachable as a temporary refailure
and retry the connection.
A better way to handle this is to send back a RST reply to the connection
request. This is what rfc 793 says to do.
In my case since I was using IPchains for doing my port blocking, I didn't
have the option (though I sent a request to the IPchains list to add this
as a destination). However I was hiding a local ident server so I changed
my rules to let syn packets through to the auth port and drop nonsyn
packets to that port. That took care of the problem for me.
