Date: Sat, 13 Sep 2003 18:37:41 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: yo _ <exhausted01@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: TCP/IP: Operation Timed Out Message-ID: <20030913173741.GA15901@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <Law9-F1676INmn4K4dc00014c04@hotmail.com> References: <Law9-F1676INmn4K4dc00014c04@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 13, 2003 at 12:32:55PM -0400, yo _ wrote: > I manage a general mail server for my organization and recently i have be= en=20 > receiving complaints that not all their messages are being sent. A quick= =20 > check to the maillog and i noticed that many of the mail servers of the= =20 > receivers are getting "Operation timed out" responses. I manually checked= =20 > connecting to these servers using telnet to see if it was just my mta, bu= t=20 > to my surprise telnet was unable to connect as well! >=20 > At home i tried connecting to these servers via telnet on port 25 as well= ,=20 > and it worked with ease. Then immediatly I ssh'ed to our remote mail serv= er=20 > and telnet'ed to these "operation timed out" mail servers on port 25 and= =20 > still same thing. Now this shocked me, how could i be easily connecting t= o=20 > the mail servers from home, and from the location of our mail server, not= =20 > be able to. It connects to other mail servers there are just a few that d= o=20 > not work including: >=20 > smtp1.dadeschools.net > mail1.dadeschools.net > oitmail.dade.k12.fl.us > sbabmail.dade.k12.fl.us > 7841exch2.tecmiami.com >=20 > It's not a DNS problem as the dns resolves the same ip address from home= =20 > and where the server resides. I'm not sure if it is solely our mail serve= r=20 > or it is all the computers on our LAN that are unable to connect, i willl= =20 > have to examine this when i get there sometime this week. The mail server= =20 > is connected directly to the internet and is assigned a public ip address= =20 > (it is not behind a router filewall or is not forwarded packets through= =20 > NAT). The host address of our mail server is mail.e-equality.org. >=20 > Does anyone know the nature of this problem or how to solve it? Could it = be=20 > faulty design of the network route from our mail server to theirs? Or may= be=20 > our TTL settings on the packets are too small. This could be a problem due to timeouts with the ident protocol, also known as auth, which uses port 113. Most mailservers will try and do an ident check on you when you connect to them. If your firewall just drops the incoming connection, then the server at the other end will just have to wait out the timeout period. While ident is meant to be a security measure, it's practically worthless as it's too easy to lie to, and if you don't lie, then it's a leak of what should be private information. To prevent your sendmail server making ident requests, include: define(`confTO_IDENT', `0')dnl in your /etc/mail/`hostname`.mc file. If you aren't going to run an ident server, then you should reject ident protocol packets at your firewall. With ipfw(8), that's something like: add 1234 reset tcp from any to ${oip} 113 setup in recv ${oif} Nb. 'reset' which will return an ICMP port unreachable message, rather than just dropping the packet. If you do decide to run an ident server, then you should add 'inetd_enable=3D"YES"' to /etc/rc.conf and edit /etc/inetd.conf to enable one of the auth variants -- there's not much reason to run anything other than the ident server built into inetd. If you're behind a NAT gateway, then you can run the ident server on the NAT gateway, but you'll have to run one of the variants that refuses to return any information. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Y1XldtESqEQa7a0RAjliAJ9xVzT258QQuHUigVwZk7bZ9nOaeACfb83D RJ8uvoSsn8dG7z9sytLfDcc= =HHpV -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030913173741.GA15901>