Hi Tom, Thanks for your reply.
--- On Fri, 6/8/10, Tom Eastep <[email protected]> wrote: > From: Tom Eastep <[email protected]> > Subject: Re: [Shorewall-users] Fragmentation Required but Dont-Fragment bit > set > To: [email protected] > Received: Friday, 6 August, 2010, 11:54 PM > On 8/5/10 10:38 PM, Michael Mansour > wrote: > > > So is this enough to guarantee that the MTU discovery > process that is > > meant to take place between source (them) and > destination (me) is > > actually working? > > Yes -- but then it is also totally unnecessary since, > unless you are > silly enough to include a rule that blocks all ICMP, > Shorewall always > allows those packets even with a DROP or REJECT policy. And > that is just > a safeguard since those packets are RELATED to an existing > connection, > they are normally passed by Shorewall-generated rules which > ACCEPT > packets in the ESTABLISHED or RELATED states. > > > > > This sendmail SYSERR is annoying as it will show up > for a week (from > > one particular source where no mail will ever come > from them - while > > most other sources remain fine) and then go away for > months while it > > works fine, then come back for no apparent reason from > the same > > sending source for another few days or a week, then go > away again. > > This problem can occur at *any router between your firewall > and the > remote server*. The only other measure you can take is to > set > CLAMPMSS=Yes in shorewall.conf; that is only helpful if the > MTU of your > internet interface is less than that of the interface to > your outgoing MTA. Yeah, the internet interface is set to 1500, and all MX servers underneath are set to 1500. The problem is fixed now, the way it was fixed, as quoted from the remote sender/admin: " I did some searches on the errors below and many people seem to have this issue with send mail servers and many things can be the culprit. I don't feel it is our court to offer suggestions on your configuration but we have made the necessary changes on our end to move your name space out to a Linux server to successfully contact and send mail to your hosted companies. Why we are able to send mail via this Linux box and not off our main Windows Exchange mail server is a mystery to me. We have had Microsoft engineers pour over our config and they see nothing wrong with what we have in place. " We handle 10's of thousands of emails every day for hundreds of clients our end, and this remote sender (running MS Exchange) are the only ones that have had trouble sending. Many MS Exchange servers send to our sendmail servers also with no problems. It's interesting to me that in no change to routers, MTU's, etc, that just a change their end from moving from MS Exchange to Linux fixed it. I personally believe the MTU Discovery is the problem and the MS Exchange server their end doesn't honour the "Dont' Fragment" bit setting. The reason? we receive their MAIL FROM, RCPT TO, but when the email hits the DATA stage, it times out after 4 hours (likely because of larger emails). After providing him with extensive details, I suggested he raise this with Microsoft to see if there's any bugs with their TCP/IP stack implementation? Linux outbound their end obviously doesn't have the issue. Regards, Michael. > -Tom > -- > Tom Eastep \ When I die, I want > to go like my Grandfather who > Shoreline, \ died > peacefully in his sleep. Not screaming like > Washington, USA \ all of the > passengers in his car > http://shorewall.net > ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
