Author: Darren Austin Date: To: exim-users Subject: Re: [Exim] SMTP timeout while connected to <host>
On Wed, 23 May 2001, Daniel Einspanjer wrote:
> I've run into similar identd timeout problems. Even if you don't want to allow idents to go through for security reasons, you should reject the connection instead of blackholing it (like many firewalls do). This will (hopefully) allow their server to get on with the SMTP conversation instead of just waiting for a response.
I agree completly here - ident requests have always been configured to reject
rather than drop on my firewall, but this is what seams to be causing the
problem...
See my previous post for a full explanation :)
> Of course, this is all my opinion, and I'm just an amateur network admin. If anyone with better credentials wishes to disagree, I'll look forward to reading the flame err.. I mean response. ;)
As with most firewall configuration I think that how it's configured is a
completly subjective thing. Your way of configuring it is one way, mine or
someone elses may be completly different - the bit that counts is the end
result; A secure system.
As I said above, I've always REJECT'd rather and DENY'd ident requests because
so many systems out there _will_ hang until they recieve a responce to their
query. The ironic thing about this practice is that 90% of the responces you
get from a ident request will be forged anyway. I know of very little people
who run identd and actually return the correct user infomation for a request -
simply because they belive it weakens the security of their system to give out
the usernames of active accounts on the system.
