Am 03.02.2012 21:32, schrieb Alex: > Hi, > >>> I had previously done something like this with iptables, but it was >>> mostly ineffective: >>> >>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent >>> --set >>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m >>> recent --update --seconds 20 --hitcount 5 -j DROP >> >> why in the world do you DROP here instead notify the remote >> machine with REJECT that you did not accept the connection? > > I thought this would cause the sending side to requeue the message > then retry later.
and what do you think does your drop after the remote server timed out finally? the same but with an ugly behavior! smtp servers will ALWAYS try again as long no SMTP SERVER answers with a 5xx code per design because what you do with iptables is producing a network error for the other side, not more and not less
signature.asc
Description: OpenPGP digital signature
