On Tue, Jan 13, 2015 at 7:38 PM, David Parker <dpar...@utica.edu> wrote:
> Hello, > > We have an SMTP server running Sendmail 8.14.4-4 on Debian 7 64-bit. > We're using the file /etc/mail/access for access control and rate limiting, > and this is enabled via the following lines in /etc/mail/sendmail.cf: > > Kaccess hash -T<TMPF> /etc/mail/access > # FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access', `skip')dnl > > For some reason, I just can't get it to not pause when greeting external > (non-localhost) connections. I was testing SSL/TLS connectivity when I > discovered the delay, using "openssl s_client -connect smtp-server:465". > If I run this command from the SMTP server, it connects and then prints all > of the SSL and certificate information immediately. But if I test from > another PC on our network, it connects, pauses for 5 seconds, and then > prints the SSL information. > > My /etc/mail/access file is pasted below. The PC I'm testing from is on > the 10.x.x.x network, which should be allowed to connect with no delay. I > have also tried setting the default GreetPause to "0" but it still made no > difference. > > ######################################## > Connect:localhost RELAY > GreetPause:localhost 0 > ClientRate:localhost 0 > ClientConn:localhost 0 > Connect:127 RELAY > GreetPause:127 0 > ClientRate:127 0 > ClientConn:127 0 > Connect:IPv6:::1 RELAY > GreetPause:IPv6:::1 0 > ClientRate:IPv6:::1 0 > ClientConn:IPv6:::1 0 > Connect:10 RELAY > GreetPause:10 0 > ClientRate:10 0 > ClientConn:10 0 > > # Defaults > Connect: REJECT > GreetPause: 5000 > ClientRate: 10 > ClientConn: 10 > > # Whitelisted users > Spam:postmaster@ FRIEND > Spam:abuse@ FRIEND > Spam:spam@ FRIEND > > # Blacklisted users > reject@ REJECT > > # Block invalid IPs > Connect:169.254 REJECT > Connect:192.0.2 REJECT > Connect:224 REJECT > Connect:255 REJECT > ######################################## > > Any help would be greatly appreciated. Thanks! > > Hi Dave, I'd add the IP address of that PC to /etc/hosts.allow on sendmail machine to rule out TCP Wrappers... Also; any chance something is doing reverse dns check? Burhan
