FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-14-2008, 01:13 PM
"Sean Carolan"
 
Default Sendmail and pmtu discovery

We have an issue with some customers who refuse to accept ICMP traffic
to their mail servers. It seems that they have put Mordac, preventer
of information services in charge of their firewall policy
(http://en.wikipedia.org/wiki/List_of_minor_characters_in_Dilbert#Mordac).

My mail logs are showing that customers who specifically disallow ICMP
traffic have many "Connection Reset" entries in our logs:

Oct 14 08:00:50 mailsrv sendmail[2024]: m9ED0Yf5002021:
to=<customername@customer.org>, delay=00:00:16, xdelay=00:00:16,
mailer=esmtp, pri=42476, relay=mail.customer.org. [XX.XX.XX.XX],
dsn=4.0.0, stat=Deferred: Connection reset by mail.customer.org.

I have disabled pmtu discovery on our routers as well as on all our
outbound mail servers. Is there anything else I can do on our side to
help the situation?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 01:24 PM
Ralph Angenendt
 
Default Sendmail and pmtu discovery

Sean Carolan wrote:
> We have an issue with some customers who refuse to accept ICMP traffic
> to their mail servers. It seems that they have put Mordac, preventer
> of information services in charge of their firewall policy
> (http://en.wikipedia.org/wiki/List_of_minor_characters_in_Dilbert#Mordac).

BUT ICMP IS BAD!!!!!¡¡¡¡¡

> My mail logs are showing that customers who specifically disallow ICMP
> traffic have many "Connection Reset" entries in our logs:
>
> Oct 14 08:00:50 mailsrv sendmail[2024]: m9ED0Yf5002021:
> to=<customername@customer.org>, delay=00:00:16, xdelay=00:00:16,
> mailer=esmtp, pri=42476, relay=mail.customer.org. [XX.XX.XX.XX],
> dsn=4.0.0, stat=Deferred: Connection reset by mail.customer.org.
>
> I have disabled pmtu discovery on our routers as well as on all our
> outbound mail servers. Is there anything else I can do on our side to
> help the situation?

So you basically broke your internet connection because of stupid
customers? No, there isn't anything you can do on your side - especially
if you don't know how large their MTU is set (which you cannot discover,
as they forbid you to do so). So you can only hope that you get exactly
the same MTU as they have (and that there is nothing inbetween which has
a lower MTU).

It is their problem. If they don't want to play by the rules, they
should have to sit out the problems they themselves created.

Ralph
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 02:31 PM
Kai Schaetzl
 
Default Sendmail and pmtu discovery

Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500:

> My mail logs are showing that customers who specifically disallow ICMP
> traffic have many "Connection Reset" entries in our logs:

Could somebody explain why ICMP might play a role in mail delivery?

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 02:51 PM
"nate"
 
Default Sendmail and pmtu discovery

Kai Schaetzl wrote:
> Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500:
>
>> My mail logs are showing that customers who specifically disallow ICMP
>> traffic have many "Connection Reset" entries in our logs:
>
> Could somebody explain why ICMP might play a role in mail delivery?

It doesn't really. If the OP had PMTU discovery turned on it
would affect most all communications not just email. I can't
ever remember having it on for external networks, there's
never been a need in my case.

It's just likely that the only communications between the OP's
systems and the other side was email.

nate

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 02:58 PM
"David Dyer-Bennet"
 
Default Sendmail and pmtu discovery

On Tue, October 14, 2008 09:31, Kai Schaetzl wrote:
> Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500:
>
>> My mail logs are showing that customers who specifically disallow ICMP
>> traffic have many "Connection Reset" entries in our logs:
>
> Could somebody explain why ICMP might play a role in mail delivery?

ICMP is involved in IP routing, including MTU discovery, announcing failed
connections, and so forth. Email is delivered over IP. QED.

--
David Dyer-Bennet, dd-b@dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 03:01 PM
Paul Bijnens
 
Default Sendmail and pmtu discovery

On 2008-10-14 16:31, Kai Schaetzl wrote:

Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500:


My mail logs are showing that customers who specifically disallow ICMP
traffic have many "Connection Reset" entries in our logs:


Could somebody explain why ICMP might play a role in mail delivery?


Any host may reply to a IP-datagram (tcp included) with e.g. ICMP type 3,
code 4 "datagram too large" and indicating the maximum size in the ICMP reply.

Disallowing these ICMP packets can result in a TCP handshake that
succeeds, but hangs when the next packets with real data are blocked.

http://en.wikipedia.org/wiki/PMTUD



--
Paul Bijnens, xplanation Technology Services Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens@xplanation.com
************************************************** *********************
* I think I've got the hang of it now: exit, ^D, ^C, ^, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
************************************************** *********************
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 03:09 PM
Les Mikesell
 
Default Sendmail and pmtu discovery

Kai Schaetzl wrote:



My mail logs are showing that customers who specifically disallow ICMP
traffic have many "Connection Reset" entries in our logs:


Could somebody explain why ICMP might play a role in mail delivery?


It is required for any TCP conversation, unless as a matter of luck you
happen to have the same MTU capability across the whole path - or the
end points restrict their MTUs arbitrarily to a size that everything can
handle.


--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 03:24 PM
Ralph Angenendt
 
Default Sendmail and pmtu discovery

Kai Schaetzl wrote:
> Sean Carolan wrote on Tue, 14 Oct 2008 08:13:34 -0500:
>
> > My mail logs are showing that customers who specifically disallow ICMP
> > traffic have many "Connection Reset" entries in our logs:
>
> Could somebody explain why ICMP might play a role in mail delivery?

If you don't know the smallest MTU on the path to the mail server, you
might not be able to send packets over that path, especially if DF is
set.

Ralph
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org