Dealing with MailScanner overloads {Scanned by HJMS}

[Antony Stone]

On Monday 15 September 2003 7:41 pm, Furnish, Trever G wrote:

> > I would not run tcpwrappers for email service on a reasonably
> > loaded server - it introduces far too much latency for each email coming
> > in,
>
> I wonder what you mean by latency - if you mean the delay that occurs when
> the remote MTA connects to yours and gets no response,

No, I mean the delay while your mail server connects to the remote MTA and
does an Ident lookup (which usually fails because most people use iptables
rules like yours, and cause it to timeout), before accepting the connection.

> So tcp wrappers does an ident lookup on originating servers?

Yes, that's the whole point of tcpwrappers.   It was created to identify the
user at the other end of the link.

> That would be annoying.  I always assumed it was just sendmail doing that,

No, sendmail doesn't care at the IP level.   Tcpwrappers happens during the
TCP setup between the two servers.   It's only once tcpwrappers has finished
that sendmail realises that a connection has been made.

> which is why I explicitly reject ident with the following iptables
> statements (from a FAQ somewhere):
> iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with
> tcp-reset
> iptables -A INPUT -p udp -m udp --dport 113 -j REJECT

Yup.   Lots of people do that sort of thing, and that's what causes
tcpwrappers to time out (the ironic thing is that even after getting no
response whatsoever, it still allows the connection to proceed - that's why I
said the security element disappeared long ago).   I wouldn't want that on
every incoming email, thanks :)

Regards,

Antony.

--

I vote "no" to this proposal to form a committee to investigate whether we
should or should not hold a ballot on whether to vote yet.