On Thu, 29 Jul 2004 02:17:46 -0600, jared r r spiegel wrote: >On Wed, Jul 28, 2004 at 12:44:34PM -0700, [EMAIL PROTECTED] wrote: >> >> I have a mail server behind a obsd 3.5 firewall and I am having timeout errors >> when I try and send an email with a large (5MB or greater) attachment. > > i would have the knee-jerk reaction that this is not due to pf. > >> So the actual scenario is a user using Outlook, ><snip> >> after about 3 minutes, the user gets an error saying that the >> connection to the server was terminated. > > afair, msimn and outlook both have a 3m timeout by default. i cannot > say i remember for certain if it has to do with only sending or only > receiving or both. it is a slider on the advanced tab of the account > settings for the servers in question ( on the msimn/outlook ). it may > be worth your time to set it to "Long" ( iirc, 5m ) to eliminate that > variable from the equation ( or at least see if now the timeout is 5m.... ) > > if the user is virus-scanning outgoing messages via program on their > machine, turn that off, and to be safe, utterly exit / endtask the > antivirus app. > > if testing the scenario with pf removed from the equation ( eg: a pf.conf > with as minimal hands-off ruleset as possible: "pass all" and whatever > natting you _need_ to do ) is not possible in your scenario, test > a different mailing client on the user's PC. > > i would hope that their mail client would only generate a timeout if > and only if they heard nothing back from the other end of the xfer > ( the smtp/pop3/imap server ). so unless you were, in pf, somehow > blocking a certain reply from the server ( unlikely ), it is probably > somewhere else to look for the source of problems. > > msimn/outlook have abilities to turn on logging. this may be of some > small value to you here too. > > i've got $1 who says it's not pf. > >> Here is (what I believe) are the pertinent rules: > > i may suggest that if you are not _CERTAIN_ what the pertinent rules > are, to post at least the entire pf.conf - if for no other reason > as so show respect to people whom you are asking to help. openbsd > list readers have rightful grounds to be !polite if people do not > provide to them the thorough scenario. > >> Any suggestions on what I might try and/or how to debug would be great! >> Thanks! > > other than what i say above, get rid of 'flags S/SA'. if there is > some proxying antivirus program on the user's PC, who can say for certain > that between the antivirus and the outlook, one might send and F before > the other thinks something is done? windows antivirus programs are, > each one of them, prone to not working _right now_, *regardless* of > "it was working fine yesterday". > > jared
I agree with jared on this and would like to suggest that NAV running on the WinClient is the worst dumb POS I have ever had this misfortune to have to deal with. It can only do the most elementary smtp and pop transactions and fails miserably on anything else. If that is on the target don't come back here until it has been absolutely killed and you still have a problem. Back in the genuine DOS days Peter Norton had a good name. He should be suing Symantec for the shit his name is getting due to their stupidity. We use F-prot on win boxes. It costs $20USD for up to 10 and $2 per box after IIRC and we have very little in the way of support issues - nobody is perfect, this comes close. Given that NAV comes free (=included in the price!) why would we go to the trouble of uninstalling it and paying for another if NAV was any good? >From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
