OT: Thunderbird and iptables
mark at TIPPINGMAR.COM
Wed Apr 27 18:35:01 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Thanks very much for the primer about RST flags. I guess I should learn
a little more about basic TCP connections. While I work on that, I'll
try allowing outgoing packets that have the ACK and RST bits set, so
that at least the clients will hear the server's response. The server
(as you suggested) isn't listening on the upper ports and there is no
ftp daemon running. The NAT behind which the server sits doesn't
forward incoming high ports to the server either. There is not question
that the blocking is related to Thunderbird IMAP, so maybe I should ask
about it on a Thunderbird forum.
Matt Kettler wrote:
>I think your biggest hint should be to notice that the packet has the
>RST bit set. I doubt this is part of a connection originated by the
>server, but instead part of a connection originated, or trying to
>originate from, the remote.
>The RST flag generally means that the.remote sent a packet to an
>unserved port on your mailserver. The other case could be an abrupt
>close of the socket on the server side, such as a process kill. The RST
>packet would be generated by your mailserver as a method of warning the
>connection isn't valid and doesn't have any state tracking.
>If multiple resets were generated due to multiple offending packets,
>IPTables may refuse all but the first, as the connection was destroyed
>by the first RST (I see this all the time on cisco PIX equipment, a late
>arriving duplicate fin or rst packet gets dropped because there's no
>However, that port pattern looks more like passive-mode FTP than IMAP..
>but who knows, I'm no IMAP expert.
>So, I suppose your questions should be:
>1) can the client try to connect to port 36798 on the server?
>2) If not, does IMAP advertise secondary ports for the client to connect
>to (like passive FTP does)?
>3) If so, can the remote try to make tcp connections to port 36798 if
>advertised by the IMAP server?
>Mark Nienberg wrote:
>>Forgive the off-topic post, but what a great place this is to get the
>>ear of a bunch of e-mail administrators.
>>My offsite Thunderbird users, chen checking mail using IMAP, generate
>>messages like the following from iptables:
>>Apr 20 10:29:10 gingham kernel: IN= OUT=eth0
>>LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=50142 DF PROTO=TCP
>>SPT=36798 DPT=60933 WINDOW=7040 RES=0x00 ACK RST URGP=0
>>In spite of this, the Thunderbird clients seem to work just fine.
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>Support MailScanner development - buy the book off the website!
Mark Nienberg, SE
Tipping Mar + associates
1906 Shattuck Ave
Berkeley, CA 94704
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner