Yes! That seems to be the culprit. I ran an strace on the sendmail
process and that's exactly what happens:
[ ... ]
4007 15:09:08.386921 connect(5, {sa_family=AF_INET, sin_port=htons(113),
sin_addr=inet_addr("10.3.1.40")}, 16 <unfinished ...>
3792 15:09:13.386272 <... select resumed> ) = 0 (Timeout)
[ ... ]
Where 10.3.1.40 is the IP of the client PC. So now I just need to dig into
the config and figure out how to stop it. Thanks!
On Tue, Jan 13, 2015 at 3:16 PM, Joe <j...@jretrading.com> wrote:
> On Tue, 13 Jan 2015 20:12:11 +0000
> Joe <j...@jretrading.com> wrote:
>
> > On Tue, 13 Jan 2015 14:27:42 -0500
> > David Parker <dpar...@utica.edu> wrote:
> >
> > > Thanks for the replies.
> > >
> > > The system is not using tcpwrappers, and it's also not a DNS issue.
> > > The client PC does have a reverse DNS entry. A tcpdump packet
> > > capture on the server shows the initial connection from the client
> > > followed by a bunch of DNS traffic, all within the same second.
> > > Then nothing happens for exactly 5 seconds, then the server sends
> > > data back to the client.
> > >
> > > Just to be extra sure, I added an entry for it in /etc/hosts so DNS
> > > wouldn't even be needed. Still made no difference.
> > >
> >
> > Is it asking for an ident from the connecting server (TCP port 7)?
> > This is an old-fashioned custom, when computers with MTAs also ran
> > ident servers, which provided some fairly harmless information.
> >
> > Exim4 can certainly ask for an ident, and does nothing for a
> > configurable timeout unless one is received, or the sender address is
> > whitelisted. It is a simple anti-spam measure, as practically nothing
> > runs ident servers today, and most malware will give up before a
> > thirty-second timeout expires, whereas a legitimate MTA will wait
> > for that long.
> >
>
> OK, where did the 7 come from? Should be port 113. I saw it just as the
> mouse button clicked...
>
> --
> Joe
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> https://lists.debian.org/20150113201613.0b84c...@jresid.jretrading.com
>
>
--
Dave Parker
Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
