Re: [mailop] SMTP Submission issues with latest macOS Mail.app

Tue, 18 Feb 2025 19:49:37 -0800 

On 2/18/25 16:59, Mark Delany via mailop wrote:

Turns out that small attachments work, but...


Okay.


Good tip. That shows the client sending the full SMTP transaction but 
only the first 'n' bytes are making it to the server which in turned 
led us to take a closer look at the network traffic and...



I had a thought when i read your original post, and now it's louder in 
my head after reading that.  (More below.)



...it turns out to be an asymmetric routing issue.


What?!


We'd recently added an additional route to the submission server and 
an unintended side-effect is that the output part of the submission 
traffic is now sent out one interface and the input part is coming 
in on another interface - for an infrequently used client subnet.


Hum....


As to why this is causing a problem, I don't yet know, but clearly one 
of the stacks doesn't like it,


Check the MTU of the links.  Maybe play with MSS as a diagnostic aid.


I've run into problems, particularly with encrypted traffic, where 
packets that the client sends don't make it to the server.



or maybe a firewall state is dropping packets.



Maybe.  But I'd expect the problematic original attachment to sometimes 
work and sometimes fail if it was a firewall (state) problem.


I'd also expect the same results for different sized attachments -> packets.


I guess the firewall could be doing things like filtering ICMP and 
interfering with Path MTU discovery.



In any event there is now a root cause to work on which is not mail 
related.



If it is MTU, then messing with MSS (on the server) can be a wonderful 
diagnostic tool if not part of the solution.



N.B. you will probably want to mess with MSS on both inbound and 
outbound packets on the server.  --  Thankfully iptables (and I assume 
the likes) make it easy to selectively modify MSS based on things like 
client IP while not doing it to other clients.



A reminder of that old advice, always be suspicious of recent changes, 
regardless of how innocent or irrelevant they may seem.


Yep.

Trust, but VERIFY!!!



--
Grant. . . .
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop






















					Reply via email to