On Tue, Jul 31, 2001 at 07:39:08PM -0400,
steve@??? <steve@???> is thought to have said:
> I can't send large email messages from exim 3.12 (debian) to an Exchange
> server when passing packets through a CISCO PIX Firewall.
>
> It seems the CISCO PIX firewall doesn't like large packets:
>
> ping -s 2000 <mailserver ip> results in an addional 30ms latency,
> ping -s 3000 <mailserver ip> results in no packets being returned
> (the mail server is on an unloaded T1)
>
> Any clue into what I can do to fix this on my end would be helpful,
> hopefully without having to ditch the debian package and compile it
> myself. Not that it's a problem compiling things myself, it's just nice
> to have debian's backported security updates and whatever.
>
> Is it just because exim likes to use large packets if at all
> possible maybe? And other mailer daemons don't do this or what? I know
> the mail server on the other end can recieve large attachements from
> other people.
The short answer is that the PIX is probably blocking ICMP including
useful things like fragmentation requests. Since your server doesn't know
to fragment the packets into smaller chunks and the remote side's requests
to do so don't get to you, you'll continue to have mail which won't pass
until one of two things happens. The site with the PIX changes their
filters to allow the useful bits of ICMP to pass or you recompile exim
setting "DELIVER_OUT_BUFFER_SIZE = 1024" (or some other suitably low
number) in your Local/Makefile.
Tabor
--
--------------------------------------------------------------------
Tabor J. Wells twells@???
Fsck It! Just another victim of the ambient morality