Re: [Exim] Re: stmp protocol violation, synchronization erro…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Walt Reed
Date:  
À: Mick Swisher
CC: exim-users
Sujet: Re: [Exim] Re: stmp protocol violation, synchronization error, input sent
On Wed, Mar 17, 2004 at 03:15:53PM -0600, Mick Swisher said:
> Mick Swisher wrote:
> >Edgar Lovecraft wrote:
> >
> >>The 30 second time wait is why I mention the ident checks, exim does this
> >>by default, just set it to 15 sec or less (or 0 to turn off) and I would
> >>wager that if you do no other delay before the SMTP Banner the server


> >>would
> >>connect properly.
> ...
> >I went ahead and disabled the ident check temporarily to see if the
> >number of sync errors goes down. We are currently getting 15k to 20k
> >sync errors each day. If that does not reduce the errors, then I will
> >disable the rDNS lookups to see what happens. I will also try to
> >capture an smtp conversation to see if it is a delay or just a 'pump &
> >dump' script.
>
> You guys are good. Disabling the ident check fixed the problem. We are
> now receiving mail from swbell.net (mtaw?.prodigy.net). For the first
> time since we installed Exim the 'sync' errors have dropped below 15k.
> Of course all the other errors increased by 10-70% and our spam
> increased as well.
>
> I have since set set the ident timeout back up to 20s for further
> testing. I would prefer to get it as close to 30s as possible without
> risking intermittent issues with legitimate, although misconfigured,
> mta's.


IMHO, ident is pretty useless.

- Few hosts allow ident through the firewall
- It only works on Unix hosts
- the value of the information is limited
- It slows down inbound mail which can greatly increase the number of
open connections on your mail server and hence server load.

Using ident as an anti-spam tool is a little silly. It's not the ident
that is saving you, it's the delay. Spammers are trying to spew as fast
as possible, and they will frequently drop connections to hosts that respond
slowly. You can include reasonable delays at various stages which may
help, but you may also start rejecting legit mail. I would suggest a
whitelist for sites that you don't want to instill delays for.

Keep in mind that Many mail servers at busy sites are now using Very short
timeouts. Partially it's a load issue, partially DOS prevention.
Remember: the 5 minute suggestion in the RFC is just that, a suggestion.