SMTP Server TimeoutsFailuresNumerous Processes
|
SMTP Server Timeouts/Failures/Numerous ProcessesIn this scenario, you have just configured a mail server behind a Masquerading/NAT firewall, and now the mail server is manifesting issues with timeouts to some but not all external mail servers. Further, this issue might also result in an MTA with hundreds of open processes for incoming messages, running for several hours (reported on sendmail). When the server is connected directly to the Internet, these issues disappear. Most likely this is an issue related to either an identd (AUTH) request, either from or to the server. A great many services, including SMTP, FTP, and POP3, use identd requests to query the remote server for the username initiating the connection. In this case, what is happening is that the identd (TCP Port 113) request is being dropped (-j DROP) at the firewall's external interface. The sending server (either your internal server or the remote one) in this case is not receiving a TCP RST packet, and as such, nothing is telling it to shut down the ident process, so it sits and waits until it times out. Your options here are either to allow the identd service, which we do not recommend, or change your rules on this service to a REJECT policy, which will return an RST/ACK, instructing the remote service to terminate the identd request. This first rule assumes that the mail server is running on the firewall itself with a very restrictive "unless allow, deny" policy: # where eth0 is our external interface $IPTABLES -A INPUT -i eth0 dport 113 -j REJECT The following rule demonstrates how to achieve this, where Host-A is our firewall and Host-B (192.168.1.25) is our internal SMTP server, located on the DMZ segment 192.168.1.0/24: # where eth0 is our external interface # where eth1 is our internal network, 10.10.10.0/24 # where eth2 is our DMZ network, 192.168.1.0/24 $IPTABLES -A FORWARD -i eth0 -o eth2 -p tcp \ dport 113 -j REJECT |
|
