FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-14-2008, 04:40 PM
Scott Silva
 
Default Sendmail and pmtu discovery

on 10-14-2008 6:24 AM Ralph Angenendt spake the following:
> Sean Carolan wrote:
>> We have an issue with some customers who refuse to accept ICMP traffic
>> to their mail servers. It seems that they have put Mordac, preventer
>> of information services in charge of their firewall policy
>> (http://en.wikipedia.org/wiki/List_of_minor_characters_in_Dilbert#Mordac).
>
> BUT ICMP IS BAD!!!!!¡¡¡¡¡
>
>> My mail logs are showing that customers who specifically disallow ICMP
>> traffic have many "Connection Reset" entries in our logs:
>>
>> Oct 14 08:00:50 mailsrv sendmail[2024]: m9ED0Yf5002021:
>> to=<customername@customer.org>, delay=00:00:16, xdelay=00:00:16,
>> mailer=esmtp, pri=42476, relay=mail.customer.org. [XX.XX.XX.XX],
>> dsn=4.0.0, stat=Deferred: Connection reset by mail.customer.org.
>>
>> I have disabled pmtu discovery on our routers as well as on all our
>> outbound mail servers. Is there anything else I can do on our side to
>> help the situation?
>
> So you basically broke your internet connection because of stupid
> customers? No, there isn't anything you can do on your side - especially
> if you don't know how large their MTU is set (which you cannot discover,
> as they forbid you to do so). So you can only hope that you get exactly
> the same MTU as they have (and that there is nothing inbetween which has
> a lower MTU).
>
> It is their problem. If they don't want to play by the rules, they
> should have to sit out the problems they themselves created.
>
Sometimes you can't be so hard headed when you are dealing with customers. You
usually are trying to get them to give money to YOU, not your competitor.

If I told my customers that "It is your problem", I would no longer have
customers to worry about!

--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 05:31 PM
Kai Schaetzl
 
Default Sendmail and pmtu discovery

Ralph Angenendt wrote on Tue, 14 Oct 2008 17:24:08 +0200:

> If you don't know the smallest MTU on the path to the mail server, you
> might not be able to send packets over that path, especially if DF is
> set.

But if it's not set? Shouldn't most devices have it not set?

Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 05:42 PM
Les Mikesell
 
Default Sendmail and pmtu discovery

Kai Schaetzl wrote:

Ralph Angenendt wrote on Tue, 14 Oct 2008 17:24:08 +0200:


If you don't know the smallest MTU on the path to the mail server, you
might not be able to send packets over that path, especially if DF is
set.


But if it's not set? Shouldn't most devices have it not set?


Routers should fragment as needed and the receiving stack will
reassemble. Windows tends to set DF on a lot of packets unnecessarily.


--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 05:47 PM
"David Dyer-Bennet"
 
Default Sendmail and pmtu discovery

On Tue, October 14, 2008 12:31, Kai Schaetzl wrote:
> Ralph Angenendt wrote on Tue, 14 Oct 2008 17:24:08 +0200:
>
>> If you don't know the smallest MTU on the path to the mail server, you
>> might not be able to send packets over that path, especially if DF is
>> set.
>
> But if it's not set? Shouldn't most devices have it not set?

Yes, most devices should fragment if necessary (DF not set).

Most devices should also pass/accept ICMP messages relating to their
connections. Deliberately configuring them not to is asking for trouble;
those messages are part of the protocol for a reason.

(Fragmentation introduces more work and effectively many more lost packets
in most setups, so the flow will be jumpy and less efficient even if it
mostly works.)

--
David Dyer-Bennet, dd-b@dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 06:50 PM
Ralph Angenendt
 
Default Sendmail and pmtu discovery

Scott Silva wrote:
> on 10-14-2008 6:24 AM Ralph Angenendt spake the following:
>
> > So you basically broke your internet connection because of stupid
> > customers? No, there isn't anything you can do on your side -
> > especially if you don't know how large their MTU is set (which you
> > cannot discover, as they forbid you to do so). So you can only hope
> > that you get exactly the same MTU as they have (and that there is
> > nothing inbetween which has a lower MTU).
> >
> > It is their problem. If they don't want to play by the rules, they
> > should have to sit out the problems they themselves created.
>
> Sometimes you can't be so hard headed when you are dealing with
> customers. You usually are trying to get them to give money to YOU,
> not your competitor.
>
> If I told my customers that "It is your problem", I would no longer
> have customers to worry about!

But your competitor wouldn't be able to send them mails either >

As said, they deliberately broke their internet connection, so there isn't
much you can do except setting your MTU to an extremely low value and hope
that there's nothing in between which has an even lower MTU.

So your best choice would be to do some consulting and give them some advice
on what they did wrong and how they can selectively block ICMP types (for
example redirect and such).

Cheers,

Ralph_____________________________________________ __
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 06:56 PM
Ralph Angenendt
 
Default Sendmail and pmtu discovery

Kai Schaetzl wrote:
> Ralph Angenendt wrote on Tue, 14 Oct 2008 17:24:08 +0200:
>
> > If you don't know the smallest MTU on the path to the mail server, you
> > might not be able to send packets over that path, especially if DF is
> > set.
>
> But if it's not set? Shouldn't most devices have it not set?

Fragmentation is bad. That's why you do PMTUD - to see which is the lowest
MTU in the path. You then set your packet sizes accordingly and set the DF
bit. If the lowest MTU in the path changes to an even lower one you get an
error and can continue with smaller packet sizes.

If you disallow PMTUD - well, you're asking for trouble >

<http://www.znep.com/~marcs/mtu/> has a rather good discussion about that.

Ralph_____________________________________________ __
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 06:59 PM
"Sean Carolan"
 
Default Sendmail and pmtu discovery

Thanks for the information. If I understand this correctly, the
client would have to convince the owner of each and every router hop
along the way to disable PMTU discovery if he insists on dropping all
ICMP packets?

And Scott hit the nail on the head with this comment:

> Sometimes you can't be so hard headed when you are dealing with customers. You
> usually are trying to get them to give money to YOU, not your competitor.

> If I told my customers that "It is your problem", I would no longer have
> customers to worry about!

If you've ever dealt with with one of these paranoid Mordac-type
security managers you know exactly what I'm talking about. In our
case the path of least resistance was to disable pmtu discovery, and
tell the customer that we've done all we possibly can to alleviate the
issue on our end. Hopefully they come to their senses and allow ICMP
packets like every major ISP and mail provider on the Internet.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 07:08 PM
Les Mikesell
 
Default Sendmail and pmtu discovery

Ralph Angenendt wrote:


As said, they deliberately broke their internet connection, so there isn't
much you can do except setting your MTU to an extremely low value and hope
that there's nothing in between which has an even lower MTU.


It doesn't have to be extremely low, it just has to be low enough. The
usual reason for needing to be less than the 1500 bytes permitted by
ethernet would be using some sort of tunnel protocol for PPOE or a VPN.
1460 might keep everybody happy.


--
Les Mikesell
lesmikesell@gmail.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 07:25 PM
Ralph Angenendt
 
Default Sendmail and pmtu discovery

Les Mikesell wrote:
> Ralph Angenendt wrote:
>>
>> As said, they deliberately broke their internet connection, so there isn't
>> much you can do except setting your MTU to an extremely low value and
>> hope that there's nothing in between which has an even lower MTU.
>
> It doesn't have to be extremely low, it just has to be low enough. The
> usual reason for needing to be less than the 1500 bytes permitted by
> ethernet would be using some sort of tunnel protocol for PPOE or a VPN.
> 1460 might keep everybody happy.

Might being the operative word here, yes.

Ralph_____________________________________________ __
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-14-2008, 09:18 PM
mouss
 
Default Sendmail and pmtu discovery

Sean Carolan a écrit :
> We have an issue with some customers who refuse to accept ICMP traffic
> to their mail servers. It seems that they have put Mordac, preventer
> of information services in charge of their firewall policy
> (http://en.wikipedia.org/wiki/List_of_minor_characters_in_Dilbert#Mordac).
>
> My mail logs are showing that customers who specifically disallow ICMP
> traffic have many "Connection Reset" entries in our logs:
>
> Oct 14 08:00:50 mailsrv sendmail[2024]: m9ED0Yf5002021:
> to=<customername@customer.org>, delay=00:00:16, xdelay=00:00:16,
> mailer=esmtp, pri=42476, relay=mail.customer.org. [XX.XX.XX.XX],
> dsn=4.0.0, stat=Deferred: Connection reset by mail.customer.org.
>
> I have disabled pmtu discovery on our routers as well as on all our
> outbound mail servers. Is there anything else I can do on our side to
> help the situation?


Consider setting a small MTU (or MSS, ....) for the borked networks
instead of changing your setup globally. something like

ip route add 192.0.2.0/24 via 10.0.0.1 mtu 1000







_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 02:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org