Hello,
It's also possible to effectively disable this Ident behaviour
on your Sendmail server.
If you are using M4 to create your Sendmail cf file, you can
simply add the following line to the relevant .mc configuration
file:
define(`confTO_IDENT',`0s')
-----Original Message-----
From: Hans Schaechl [mailto:[EMAIL PROTECTED]]
Sent: 21 June 2000 14:58
To: [EMAIL PROTECTED]
Subject: RE: [FW1] IDENT Question
Hi,
no, the receiving sendmail sends back an auth/ident request
after being contacted by any sender. This is after the SMTP
communication already started. Ident is to find the owner
of a connection (pair of sockets) at the remote machine. If
there's no ident server process listening on port 113/tcp the
host responds with a RST to the initiator. This is what your FW-1
can do for your internal hosts when you 'reject' ident queries
instead of silently dropping them. If you drop those packets
sendmail waits for the timeout (currently 5sec default) to occur
before communication goes on.
For the the use and purpose of the ident protocol simply read
RFC 1413. Words of wisdom from the author:
"At best, it provides some additional auditing information with
respect to TCP connections. At worst, it can provide misleading,
incorrect, or maliciously incorrect information."
Hans
P.S.: Some IRC server deny access when they find no ident server
running at the client's site. This is why mIRC, a famous IRC client
for Windows systems, comes with its own ident server.
At 07:48 21.06.00 -0500, John Stevenson wrote:
>[...]
>Sendmail uses Ident to see if the host on the other end is
>alive before it starts to communicate with it.
>
>John.
>
>-----Original Message-----
>From: James Edwards [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, June 21, 2000 7:32 AM
>To: 'James Toshack'; [EMAIL PROTECTED]
>Subject: RE: [FW1] IDENT Question
>
>
>
>I went thru this same issue when I put my firewall in. I finally decided
to
>block it and see who screams. That was about a year ago and I see a lot of
>blocked ident traffic, almost all going to my mail server.
>
>Guess what, not one single complaint.
>
>Jim Edwards
>
>-----Original Message-----
>From: James Toshack [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, June 20, 2000 3:44 PM
>To: [EMAIL PROTECTED]
>Subject: [FW1] IDENT Question
>
>
>
>
>
>Can someone please tell me the importance of the TCP IDENT service port?
>The
>firewall I'm now managing has IDENT traffic blocked....I don't know if this
>is
>by design, or a mistake...our extrenal DNS's are producing hundreds and
>thousands of dropped IDENT packets...and I don't know what allowing our
>DNS's to
>process this IDENT traffic might produce in terms of a security risk. Is
>allowing this type of traffic considered pretty standard for a DMZ DNS
>Server?
>
>
>
>
>===========================================================================
=
>====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=
>====
>
>
>===========================================================================
=
>====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=
>====
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
--
This e-mail is confidential and should not be used by anyone
who is not the original intended recipient. If you have received
this e-mail in error please inform the sender and delete it from
your mailbox or any other storage mechanism. Macmillan
Publishers Limited cannot accept liability for any statements
made which are clearly the sender's own and not expressly
made on behalf of Macmillan Publishers Limited or one of its
agents.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
