Dealing with MailScanner overloads {Scanned by HJMS}

Antony Stone Antony at SOFT-SOLUTIONS.CO.UK
Mon Sep 15 20:24:15 IST 2003


On Monday 15 September 2003 8:20 pm, Furnish, Trever G wrote:

> > No, I mean the delay while your mail server connects to the
> > remote MTA and
> > does an Ident lookup (which usually fails because most people
> > use iptables
> > rules like yours, and cause it to timeout), before accepting
> > the connection.
>
> Actually that rule is there explicitely to PREVENT the timeout - the
> --reject-with tcp-reset makes systems that do an ident lookup return a
> failed lookup immediately, without timing out.

Yes, sorry - I failed to look closely enough at your rule.

Many people use DROP instead of REJECT - and it's dropping packets which
causes the timeouts.

> Hmmm... Actually, I said "assumed", but it wasn't exactly an assumption.  I
> have explicitely lowered the sendmail ident timeout before, so I'm thinking
> sendmail (at least some versions) does its own ident lookup without tcp
> wrappers.
> http://www.sendmail.org/m4/tweaking_config.html#confTO_IDENT

Interesting.   Thanks.

Antony.

--

Windows: just another pane in the glass.



More information about the MailScanner mailing list