Hi everyone,
Yeah, I know this has been talked about a million odd times on the
list, but no reason/solution has been posted, I thought I'd toss in my
0.02c about my problem with TB!/ZA:
(My) Issue: The Bat! will start checking mail on startup, but after a
while it will stopped by ZoneAlarm. Shutting down ZoneAlarm
will allow The Bat! to function normally, but without
protection for the computer.
As I work at an ISP, and everything was working fine with ZA and TB,
until we made some network changes, and suddenly this problem pops up.
So I'm lucky enough to have the environment and tools on hand to do
some serious debugging on the problem. :-)
Anyways, onto my problem:
The problem started when we switched our mail server from a single
external IP address to multiple IP addresses as we installed dual load
balancers and use DNS round robin to balance between them (which then
in turn balance to the mail server farm).
So how does this affect TB! + ZA? Well, TB will make a request to the
pop server (pop.x.com) to pickup mail on startup. Everything works and
all is cool. And TB! will continue to make requests to the pop server,
except suddenly something changes - the IP address of the pop server.
After a few minutes the DNS caching of the pop server's entry (ie:
pop.x.com -> x.y.z.10) on the local computer runs out, the computer
makes a DNS request and receives a reply. With DNS round robin, the
IP address might be the same as before - in which everything still
works, but if it changes, the locking situation shows up.
The real problem is that TB! references the mail server by name (this
is a good thing) but it looks like ZA keeps more detailed info about
the connection that it doesn't like being changed for security
reasons.
ZA will track that TB! opened a connection to pop.x.com which is
x.y.z.10 - and as long as TB! is open, that mapping has to stay that
way. If the IP address changes (for whatever reason - be it DNS or
more nefarious reasons), then it might be a possible "man in the
middle" attack and ZA locks out access to the mail application. The
annoying part is that ZA doesn't like to give warning messages to
users - part of the user friendliness experience I guess.
Solutions:
1) Add all your mail server IP addresses to your Local Zone in ZA.
(Hence they become "safe" in the eyes of ZA.)
or
2) And an entry to your HOSTS file with a name to a single IP
address. This will override the DNS queries for the host name
and always return that 1 IP address.
or
3) Instead of an name for your mail server, put an IP address.
>From the perspective of an ISP - #1 is the best solution!
Hope that helps to give people an explanation as to what's happening
and a solution for people in the future.
Cheers,
Ross
--
Ross West mailto:[EMAIL PROTECTED]
________________________________________________________
Current version is 1.61 | "Using TBUDL" information:
http://www.silverstones.com/thebat/TBUDLInfo.html
