Re: [Exim] can't send large email messages

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: steve
Dátum:  
Címzett: Tabor J. Wells
CC: exim-users, Don Rude, Mike Antro
Tárgy: Re: [Exim] can't send large email messages
On Wed, 1 Aug 2001, Tabor J. Wells wrote:

> On Tue, Jul 31, 2001 at 07:39:08PM -0400,
> steve@??? <steve@???> is thought to have said:
>
> > I can't send large email messages from exim 3.12 (debian) to an Exchange
> > server when passing packets through a CISCO PIX Firewall.
> >
> > It seems the CISCO PIX firewall doesn't like large packets:
> >
> > ping -s 2000 <mailserver ip> results in an addional 30ms latency,
> > ping -s 3000 <mailserver ip> results in no packets being returned
> > (the mail server is on an unloaded T1)
> >
> > Any clue into what I can do to fix this on my end would be helpful,
> > hopefully without having to ditch the debian package and compile it
> > myself. Not that it's a problem compiling things myself, it's just nice
> > to have debian's backported security updates and whatever.
> >
> > Is it just because exim likes to use large packets if at all
> > possible maybe? And other mailer daemons don't do this or what? I know
> > the mail server on the other end can recieve large attachements from
> > other people.
>
> The short answer is that the PIX is probably blocking ICMP including
> useful things like fragmentation requests. Since your server doesn't know
> to fragment the packets into smaller chunks and the remote side's requests
> to do so don't get to you, you'll continue to have mail which won't pass
> until one of two things happens. The site with the PIX changes their
> filters to allow the useful bits of ICMP to pass or you recompile exim
> setting "DELIVER_OUT_BUFFER_SIZE = 1024" (or some other suitably low
> number) in your Local/Makefile.
>


So is there a way to make my server split packets into smaller chunks?
I'm currently running Debian (potato/stable) and 2.2.19 kernel, would
upgrading to woody/2.4.7 kernel solve my problem possibly? So it's just
a case that our server doesn't understand the PIX's request to split
up the packets? Or are the packets simply not getting to me for some
reason or another (firewall misconfiguration, etc)?

I talked to the admin of the firewall and he claims that the PIX is
restricting packets to 2800 bytes or less because Cisco claims it stops a
stops a DoS attack. There's apparently no way to turn it off and the only
working around is downgrading the IOS version. Grrr it really annoys me
when DoS "fixes" stop legit traffic. The firewall admin would love to
solve the problem on their end as well since we are not the only ones with
a mail server having trouble getting mail to them. It's just really
painful to have to downgrade the IOS version, but if the current IOS
version is broken in this sense or whatever, then that may be the firewall
admin's only option to let in email, short of moving the win2k box outside
of the firewall, which he's not anxious to do for obvious reasons. :)

+------------------------------------+-----------------------------+
| Stephen Grecni    steve@???  |  /"\                        |
| Hacker                             |  \ /  ASCII Ribbon Campaign |
| 301.208.1796 x13  f 301.208.1930   |   X    Against HTML E-Mail  |
| Build your world. http://STEEM.com |  / \    <!-- <HTML> -->     |

+------------------------------------+-----------------------------+