Dealing with MailScanner overloads {Scanned by HJMS}

Furnish, Trever G TGFurnish at HERFF-JONES.COM
Mon Sep 15 20:20:01 IST 2003


> -----Original Message-----
> From: Antony Stone [mailto:Antony at SOFT-SOLUTIONS.CO.UK]
> Sent: Monday, September 15, 2003 1:53 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Dealing with MailScanner overloads {Scanned by HJMS}
>
>
> On Monday 15 September 2003 7:41 pm, Furnish, Trever G wrote:
> > I wonder what you mean by latency - if you mean the delay
> that occurs when
> > the remote MTA connects to yours and gets no response,
>
> No, I mean the delay while your mail server connects to the
> remote MTA and
> does an Ident lookup (which usually fails because most people
> use iptables
> rules like yours, and cause it to timeout), before accepting
> the connection.

Actually that rule is there explicitely to PREVENT the timeout - the
--reject-with tcp-reset makes systems that do an ident lookup return a
failed lookup immediately, without timing out.

> No, sendmail doesn't care at the IP level.   Tcpwrappers
> happens during the
> TCP setup between the two servers.   It's only once
> tcpwrappers has finished
> that sendmail realises that a connection has been made.

Hmmm... Actually, I said "assumed", but it wasn't exactly an assumption.  I
have explicitely lowered the sendmail ident timeout before, so I'm thinking
sendmail (at least some versions) does its own ident lookup without tcp
wrappers.
http://www.sendmail.org/m4/tweaking_config.html#confTO_IDENT

But your point is well taken that tcp wrappers may have its own issues and
that ident lookups provide no security.  And as for my point ... well I
don't think I had one, actually. ;^)

-t.



More information about the MailScanner mailing list