Re: [mailop] Anyone from Yahoo - icmpv6 filtering breaks login.yahoo.com MTU detection
It is also common when people convert their ACL from IPv4 to IPv6 to forget to add a rule of PTB in their IPv6 ACLs... I would also suggest to use tracepath(6) for debugging, as it factors the port you want to reach and will try to detect the pmtu. You may find where the packet gets dropped this way. On Mon, Nov 21, 2016 at 1:09 AM, Vladimir Dubrovin via mailop < mailop@mailop.org> wrote: > > This problem is neither new nor specific to Yahoo or IPv6 and is usually > referred as "blackhole router". ICMPv4 "Fragmentation Needed" (type 3 > code4) / ICMPv6 "Packet to Big" (type 2) *are required* for path MTU > discovery and should never be filtered. The only reason it doesn't strike > you with different servers is it's highly recommended for public server to > set MaxMTU lower than 1500 (typically 1400 or so, or more exactly TCP MSS > is usually set to corresponding value), because there is a lot of users > with misconfigured routers and firewall. > > > 18.11.2016 22:58, Carl Byington пишет: > > https://login.yahoo.com > > If you have IPv6 connectivity thru a tunnel, with a smaller MTU, that > will fail. With a 1500 byte MTU, it works. The TCP handshake works - it > then hangs during the TLS handshake which sends full size packets. > > echo -e 'GET / HTTP/1.0\n' | \ > openssl s_client -servername login.yahoo.com -ign_eof -connect \ > '[2001:4998:c:e33::50]:443' > > Please stop filtering icmpv6 packets going to your servers. > > > > > > > ___ > mailop mailing > list > mailop@mailop.org > https://chilli.nosignal.org/ > cgi-bin/mailman/listinfo/mailop > > -- > Vladimir Dubrovin > @Mail.Ru > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Cisco / SenderBase support filtering
>: host vmx.sco.cisco.com[184.94.241.135] refused to > talk to me: 554-vmx.sco.cisco.com 554 Your access to this mail system has > been rejected due to the sending MTA's poor reputation. If you believe > that > this failure is in error, please contact the intended recipient via > alternate means. No shit, that's why I opened a support ticket. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Anyone from Yahoo - icmpv6 filtering breaks login.yahoo.com MTU detection
This problem is neither new nor specific to Yahoo or IPv6 and is usually referred as "blackhole router". ICMPv4 "Fragmentation Needed" (type 3 code4) / ICMPv6 "Packet to Big" (type 2) *are required* for path MTU discovery and should never be filtered. The only reason it doesn't strike you with different servers is it's highly recommended for public server to set MaxMTU lower than 1500 (typically 1400 or so, or more exactly TCP MSS is usually set to corresponding value), because there is a lot of users with misconfigured routers and firewall. 18.11.2016 22:58, Carl Byington пишет: > https://login.yahoo.com > > If you have IPv6 connectivity thru a tunnel, with a smaller MTU, that > will fail. With a 1500 byte MTU, it works. The TCP handshake works - it > then hangs during the TLS handshake which sends full size packets. > > echo -e 'GET / HTTP/1.0\n' | \ > openssl s_client -servername login.yahoo.com -ign_eof -connect \ > '[2001:4998:c:e33::50]:443' > > Please stop filtering icmpv6 packets going to your servers. > > > > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Vladimir Dubrovin @Mail.Ru ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop