Autor: Tim Jackson Data: Para: exim-users Asunto: Re: [Exim] Large message causing reset from foreign MTA
Hi David, on Fri, 19 Dec 2003 22:11:46 -0600 you wrote:
> Today I discovered a run of retry time not reached messages for one
> particular exchange server from only one of my gateways. After tracing
> through the retry database and a few tests, I discovered a message
> causing a connection reset by peer. This message is a short bit of html
> and approx 200,000+ newlines.
> I am personally convinced that exim is handling the message fine,
Sounds like it to me. "connection reset by peer" hints strongly that the
Exchange server barfed and dropped the connection.
> I work with a crack team of MS admins,
Hehe, no offence to your colleagues but I'm sure I'm not the only who has
"contradiction in terms" alarm bells going off at this point ;)
> I can tell you the exchange system is 5.5 SP4. It is
> running some form of spam filtering software, not sure which this week.
> And, it is sitting behind a PIX firewall. I was certain they had the
> fixup smtp protocol enabled on it, but it now doesn't look like they do
> when I telnet in to the smtp port.
Well, I haven't seen this before in passing plenty of messages to
sexchange servers, but then again I'm not sure I've tried to pass a
message with 200k newlines. Best thing to do might be to get them to
remove/disable the firewall (and definitely check fixup's off) and also
disable their antispam software (which would be better off on the gateway
anyway).
To be honest, Exchange is such a buggy piece of junk that it wouldn't
surprise me if that kind of weirdness (200k newlines) causes it to barf
and drop the connection.
Alternatively, if the message is being passed "realtime" through whatever
spam software they are using, it's possible that the sheer size of it (or
perhaps the fact that it is so weird) is causing that software (rather
than Exchange) to balk (or perhaps time out?), which could conceivably
cause Exchange to drop the connection uncleanly (it wouldn't suprise me).
> I would just work through this with them to determine the nature, but
> they are very stubborn and unwilling to offer any useful information.
Hehe, that's the problem with "crack MS admins"...again, no offence to
anyone who happens to be an MS admin with a clue (in fact, my compliments
- you're a rare species!), but in my experience once you get past "how do
I launch Internet Explorer" or ask anything that requires knowledge of an
underlying protocol (or in fact anything which can't be solved by a few
mouse clicks and random poking) then you get blank stares.
If they're really being that awkward and won't help by enabling/disabling
stuff, I guess there's no choice except to tcpdump the session to a file
and plough through the log to find out exactly what happens. Don't show
tcpdump to the "crack MS admins" though; they'll probably think you're
some kind of government-sponsored hacker with secret underground software
who can take over NASA at the press of a key ;) I mean - "SYN",
"ACK"...all sounds like some kind of spy code ;)