On Sun, Jul 18, 1999 at 03:05:17PM +0100, Alan Cox wrote:
> > "So if I have my firewall rules to reject TCP on port 113 (auth/ident),
> > our Digital Unix smtp server spends a long time retrying with the same
> > SYN packet.
> >
> > The net result is that sending mail takes ages, because the remote smtp
> > server won't accept mail until the connection to my port 113 times out."
>
> The digital setup is broken then. Note that ICMP is _optional_ even. You
> shouldnt use ident when doing SMTP, thats plain *dumb*. Ident provides no
> security information of any value and is likely to cause unmailable sites
> due to long timeouts.
Right, Doing smtp server implementation that does ident
queries without shortish timeout at the ident is stupid.
My ZMailer can be configured to do ident lookups, and
if it turned on, it has 6 second timeout to complete the
entire connection + query manouver.
Oddly, running a mailer with active widely used lists at
DEC Tru64 with local ident server replying (supposedly)
where-from the connections are coming did (three years
ago) cost to the system all its available processing power
(walking thru /dev/kmem did mean something like 60 000 system
calls to do *one* resolving...)
This only tells that at Linux the ident lookup is *cheap*,
which isn't true at all platforms.
> There are several sites that mail from me to them just fails due to this. I
> no longer care about their flawed setup.
>
> Alan
/Matti Aarnio <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
