> we are testing a firewall setup at the moment and see
> the strange behaviour that connections from inside to an
> outside mailserver take about 30 seconds to initiate while the
> connection to port 25 of an outside proxy machine that forwards
> the requests to the outside mailserver is fast.
> That's why we assume it's not a problem of the firewall
> but that qmail handles the connections differently.
> But I don't see a reason for this. Any clues?
>
> The firewall is a nokia box with checkpoint FW1 (newest version) and the
> mailserver is a sun ultra1 running qmail-1.03.
The ident* segments are being dropped by your firewall,
this causes the OUTSIDE server to wait for response.
Solution 1: which I think is the best, is to REJECT all ident segments.
The reason for this is that many server expect some sort of reply
to accept connections or the will wait og make connections slow.
Solution 2: you could allow all or some ident segments,
beware however that some NAT systems will have problems with ident.
Since the mailserver will not see the hidden IP and will send it directly
to the firewall, which the FIREWALL might not know where to send...
Solution 3: set the TIMEOUT on the OUTSIDE mailserver to a lower number,
I would do this only if everything else fails.
Solution X: You could mix your own configuration of RULES to make this work!
*ident is a small TCP connection on PORT 113 done by servers to "verify" the client,
your INSIDE mailserver being the client and OUTSIDE being the server in this case.
Regards Andr� Paulsberg
