On 24 Aug 2000, Stephen Swann wrote in fw1-list:
>I'm talking about speeding outbound mail through my firewall. Do
>you mean that the remote mail server holds open the port 25
>connection while it waits on the outcome of its ident query? That
>doesn't sound right to me, but maybe I'm missing something here.
Yes.
The remote mail server sends an ident request immediately after opening
the port 25 connection, even before it sends its first 220 message to
your outgoing mail server
220 host.dom SMTP Server (softwarename v.v.v.v) ready
Since your outgoing mail server is waiting for that 220 message before
it actually sends its mailpiece, nothing will get sent until the ident
request is answered either with a reply or a reject. A drop will cause
the remote mail server to wait until timeout.
For an example of this delay, compare
telnet mail1.bellatlantic.net 25
to
telnet mail.imtek.com 25
>Basically, as long as the remote server accepts the mail, I don't
>care about whether it (the remote server) then ends up waiting on an
>ident connection timeout. That won't make any difference to the
>speed of my firewall or my (outbound-sending) MTA.
The delay is of course not seen by the user's client, but rather as a
latency between the time X the sending user thinks the mail is gone and
the time Y that the receiving user can read the mail on her screen.
When connecting to certain ftp servers, or to IRC servers[1], the delay
actually is seen by the user's client, since there's no intermediary
local server to take the bullet for you.
>The idea that rejecting ident connections "speeds up mail" seems to
>be a pretty popular idea; I'm just trying to get at how the
>mechanics of this speedup are supposed to work.
HTH. HAND.
Further questions to the clued on this issue:
(1) Does this ident dance actually slow users who send from internal
clients by SMTP to your internal MTA, if their client sends by SMTP?
(2) If so, will putting a preemptive reject rule IDENTs leaving the DMZ
speed up these local clients as well as external servers sending you
inbound mail?
(3) What the heck is this ident check for, anyway?
Footnotes:
[1] What are your users doing wasting time on IRC anyway? :)
--
Ross Presser * [EMAIL PROTECTED]
A blank is ya know, like, a tab or a space. A name is like wow! a
sequence of ASCII letters, oh, baby, digits, like, or underscores,
fer shure, beginnin' with a letter or an underscore.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
