I've solved my problem as follows.
My ipf.conf originally was this:
# block everything to start
block in all
block out all
# allow all traffic on localhost
pass in quick on lo0 all
pass out quick on lo0 all
# block nonroutable networks
block in log quick from 192.168.0.0/16 to any
block in log quick from 172.16.0.0/12 to any
block in log quick from 10.0.0.0/8 to any
block in log quick on hme0 from 127.0.0.0/8 to any
block in log quick on hme1 from 127.0.0.0/8 to any
block out log quick from any to 192.168.0.0/16
block out log quick from any to 172.16.0.0/12
block out log quick from any to 10.0.0.0/8
block in log quick all with short
block in log all with ipopts
#block the assholes in china
block in log quick from 211.154.104.85 to any
pass out quick proto tcp from 206.176.249.129/28 to any flags S keep state
pass out quick proto udp from 206.176.249.129/28 to any keep state
#return-rst for ident under solaris
block return-rst in quick proto tcp from any to any port = 113
pass out quick proto tcp from any to any port = 113 flags R/RSFUP
pass in quick proto tcp from any to 206.176.249.129/28 port = 21
flags S keep state
pass in quick proto tcp from any to 206.176.249.129/28 port = 25
flags S keep state
pass in quick proto tcp from any to 206.176.249.129/28 port = 26
flags S keep state
pass in quick proto tcp from any to 206.176.249.129/28 port = 32
flags S keep state
pass in quick proto udp from any to 206.176.249.129/28 port = 53 keep state
pass in quick proto tcp from any to 206.176.249.129/28 port = 80
flags S keep state
pass in quick proto tcp from any to 206.176.249.129/28 port = 110
flags S keep state
pass in quick proto tcp from any to 206.176.249.129/28 port = 143
flags S keep state
pass in quick proto tcp from any to 206.176.249.129/28 port = 587
flags S keep state
pass in quick proto tcp from any to 206.176.249.129/28 port = 2525
flags S keep state
pass in quick proto tcp from any to 206.176.249.129/28 port 32768 ><
65535 flags S keep state
pass in quick proto icmp from any to 206.176.249.129/28 icmp-type 0
pass in quick proto icmp from any to 206.176.249.129/28 icmp-type 3
pass in quick proto icmp from any to 206.176.249.129/28 icmp-type 8
pass in quick proto icmp from any to 206.176.249.129/28 icmp-type 11
pass out quick proto icmp from 206.176.249.129/28 to any icmp-type 0
pass out quick proto icmp from 206.176.249.129/28 to any icmp-type 3
pass out quick proto icmp from 206.176.249.129/28 to any icmp-type 8
pass out quick proto icmp from 206.176.249.129/28 to any icmp-type 11
i've fixed the problem by moving
pass out quick proto tcp from 206.176.249.129/28 to any flags S keep state
from the middle to the *bottom* of the ruleset, whilst removing the
flags declaration -
pass out quick proto tcp from 206.176.249.129/28 to any keep state
While I have a vague understanding of why that fixed it, the
important thing is that now mail with attachments can flow through to
the sbcglobal mailservers without any problem at all. Why their
mailservers - and only their mailservers - were sensitive to the
former configuration is a mystery to me. But even as a n00b, it seems
to me it indicates a problem at att/sbcglobal/pacbell, not so much
one on my end. Rather, i've had to modify a previously working
configuration to accomodate whatever (bizarre) problem they have on their end.
Paul Theodoropoulos
http://www.anastrophe.com
