Dealing with MailScanner overloads {Scanned by HJMS}
Antony Stone
Antony at SOFT-SOLUTIONS.CO.UK
Mon Sep 15 20:24:15 IST 2003
On Monday 15 September 2003 8:20 pm, Furnish, Trever G wrote:
> > No, I mean the delay while your mail server connects to the
> > remote MTA and
> > does an Ident lookup (which usually fails because most people
> > use iptables
> > rules like yours, and cause it to timeout), before accepting
> > the connection.
>
> Actually that rule is there explicitely to PREVENT the timeout - the
> --reject-with tcp-reset makes systems that do an ident lookup return a
> failed lookup immediately, without timing out.
Yes, sorry - I failed to look closely enough at your rule.
Many people use DROP instead of REJECT - and it's dropping packets which
causes the timeouts.
> Hmmm... Actually, I said "assumed", but it wasn't exactly an assumption. I
> have explicitely lowered the sendmail ident timeout before, so I'm thinking
> sendmail (at least some versions) does its own ident lookup without tcp
> wrappers.
> http://www.sendmail.org/m4/tweaking_config.html#confTO_IDENT
Interesting. Thanks.
Antony.
--
Windows: just another pane in the glass.
More information about the MailScanner
mailing list