Date: Sat, 13 Sep 2003 18:37:41 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: yo _ <exhausted01@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: TCP/IP: Operation Timed Out Message-ID: <20030913173741.GA15901@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <Law9-F1676INmn4K4dc00014c04@hotmail.com> References: <Law9-F1676INmn4K4dc00014c04@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Sep 13, 2003 at 12:32:55PM -0400, yo _ wrote:
> I manage a general mail server for my organization and recently i have be=
en=20
> receiving complaints that not all their messages are being sent. A quick=
=20
> check to the maillog and i noticed that many of the mail servers of the=
=20
> receivers are getting "Operation timed out" responses. I manually checked=
=20
> connecting to these servers using telnet to see if it was just my mta, bu=
t=20
> to my surprise telnet was unable to connect as well!
>=20
> At home i tried connecting to these servers via telnet on port 25 as well=
,=20
> and it worked with ease. Then immediatly I ssh'ed to our remote mail serv=
er=20
> and telnet'ed to these "operation timed out" mail servers on port 25 and=
=20
> still same thing. Now this shocked me, how could i be easily connecting t=
o=20
> the mail servers from home, and from the location of our mail server, not=
=20
> be able to. It connects to other mail servers there are just a few that d=
o=20
> not work including:
>=20
> smtp1.dadeschools.net
> mail1.dadeschools.net
> oitmail.dade.k12.fl.us
> sbabmail.dade.k12.fl.us
> 7841exch2.tecmiami.com
>=20
> It's not a DNS problem as the dns resolves the same ip address from home=
=20
> and where the server resides. I'm not sure if it is solely our mail serve=
r=20
> or it is all the computers on our LAN that are unable to connect, i willl=
=20
> have to examine this when i get there sometime this week. The mail server=
=20
> is connected directly to the internet and is assigned a public ip address=
=20
> (it is not behind a router filewall or is not forwarded packets through=
=20
> NAT). The host address of our mail server is mail.e-equality.org.
>=20
> Does anyone know the nature of this problem or how to solve it? Could it =
be=20
> faulty design of the network route from our mail server to theirs? Or may=
be=20
> our TTL settings on the packets are too small.
This could be a problem due to timeouts with the ident protocol, also
known as auth, which uses port 113. Most mailservers will try and do
an ident check on you when you connect to them. If your firewall just
drops the incoming connection, then the server at the other end will
just have to wait out the timeout period. While ident is meant to be
a security measure, it's practically worthless as it's too easy to lie
to, and if you don't lie, then it's a leak of what should be private
information.
To prevent your sendmail server making ident requests, include:
define(`confTO_IDENT', `0')dnl
in your /etc/mail/`hostname`.mc file.
If you aren't going to run an ident server, then you should reject
ident protocol packets at your firewall. With ipfw(8), that's
something like:
add 1234 reset tcp from any to ${oip} 113 setup in recv ${oif}
Nb. 'reset' which will return an ICMP port unreachable message, rather
than just dropping the packet.
If you do decide to run an ident server, then you should add
'inetd_enable=3D"YES"' to /etc/rc.conf and edit /etc/inetd.conf to
enable one of the auth variants -- there's not much reason to run
anything other than the ident server built into inetd. If you're
behind a NAT gateway, then you can run the ident server on the NAT
gateway, but you'll have to run one of the variants that refuses to
return any information.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/Y1XldtESqEQa7a0RAjliAJ9xVzT258QQuHUigVwZk7bZ9nOaeACfb83D
RJ8uvoSsn8dG7z9sytLfDcc=
=HHpV
-----END PGP SIGNATURE-----
--2oS5YaxWCcQjTEyO--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030913173741.GA15901>