Autor: Alan J. Flavell Fecha: A: Exim users list Asunto: Re: [exim] MessageLabs 554 SMTP synchronisation error
On Tue, 12 Jul 2005, Ian FREISLICH wrote:
> Out of interest what proportion of your logs have useful ident data?
Depends what you mean by "useful".
I give you these, for example:
2005-07-06 22:51:54 H=(corporation.net) [168.187.205.3] U=CacheFlow Server
F=<enquiryghstvi@???> rejected RCPT
Rejected - appears to be an unsecured proxy: CacheFlow Server
2005-07-07 18:03:25 H=(mailhub.vianetworks.nl) [194.250.136.80]
U=squid F=<jmazlpop@???> rejected RCPT
Rejected - appears to be an unsecured proxy: squid
There's still (years after this problem was first exposed) a moderate
number of such rejections in our log. In due course the IPs in
question turn up in blacklists (and indeed both of those IPs are well
and truly blacklisted now), and could be rejected on that or on other
grounds, but these characteristic idents seem to be a sure-fire
rejection, on the assumption that no-one is seriously going to run
their MTA with a user name of "squid", let alone "CacheFlow Server".
Sure, the original motive was multi-user systems, where individual
users might be attempting direct-to-MX SMTP, and I'd admit that this
scenario is far less usual than it used to be, for many different
reasons. But when reporting abuse to some remote site, it can still
be a useful handle.
Whether you choose to activate ident or not is entirely a matter for
your local policy, and I wouldn't for a moment try to tell you what to
do. But if you do activate it, then definitely set the timeout to
just a few seconds (we've used 7s for a considerable time, but I
suspect it could well be less and still serve its purpose). Ideally,
if a remote network is not going to respond to ident then it should
reject, rather than dropping the traffic on the floor and leaving us
to time out, but that isn't something we have any control over,
obviously.