Re: [EXIM] RFC1413 timeouts, firewalls and sendmail

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Stephen Marquard, Jeffrey Goldberg
CC: exim-users
Subject: Re: [EXIM] RFC1413 timeouts, firewalls and sendmail
On Mon, 23 Mar 1998, Stephen Marquard wrote:

> As a check by hand showed this delay to be about 60s, I found
>
>    rfc1413_query_timeout

>
> which defaults to 60s. It turned out that ident requests to the
> server attempting to send mail were being firewalled, with the result
> that they timed out at 60s instead of failing immediately with
> 'connection refused' or returning a response.


Sadly, this practice seems to be becoming more common. They really ought
to give 'connection refused'.

> As we don't use ident information for anything, I disabled it with
> rfc1413_query_timeout = 0s


The point of ident information is not for you to use, but for you to
hand back to the other site when you are complaining about some bad
behaviour emanating from it. If you were, for example, to complain to me
about some process on my host abusing your SMTP port, the first thing I
would ask was "what was the ident information?" That would help me
identify the user on this multi-user system. Without it I can't do much.

> which solved the problem, but perhaps Exim should be using a lower
> timeout value by default, eg. 15s, or something which doesn't upset
> sendmails behind firewalled ident ports?


RFC 1413 says:
                 The client may close the connection down at any time;
   however to allow for network delays the client should wait at least
   30 seconds (or longer) after a query before abandoning the query and
   closing the connection.


That is why I chose 60 seconds as the default; there are some *very*
slow bits of the Internet. However, I did rather assume that timeouts
would be rare and "connection refused" would be the response when the
connection could not be made.

What do people think? Should I reduce the default to 30s?


On Mon, 23 Mar 1998, Jeffrey Goldberg wrote:

> In my case it was the person setting up the firewall who solved the
> problem, and decided that the correct behaviour would be for the
> firewall to either fail or pass through ident requests. However,
> it did lead me to wonder where the ident info was used.


It is simply logged by Exim. It is used if you want to query something
with the sending host - see my comment above.

-- 
Philip Hazel                   University Computing Service,
ph10@???             New Museums Site, Cambridge CB2 3QG,
P.Hazel@???          England.  Phone: +44 1223 334714



--
*** Exim information can be found at http://www.exim.org/ ***