Re: [exim] "protocol violation: synchronization error" from …

On 07/06/06, Toralf Lund <toralf@???> wrote:
>
> > I'm having problems sending to a server that appears to be running Exim [ ... ]
> > The following sequence of (slightly rewritten)
> > log messages should make it clear how the failure occurs:
> >
> Just after posting this, it occurred to me that I really ought generate
> a log with *all* options enabled - I just added SMTP connection messages
> to the default earlier. When I did, I got the same messages, but also
>
> 2006-06-07 13:39:12 ident connection to 192.168.0.186 timed out
>
> I then disabled all "ident" connections via
>
> rfc1413_query_timeout = 0s
>
> and was actually able to deliver my message! So the synchronisation
> problem appears to be a symptom rather than the real issue - maybe it's
> just a result of waiting so long for the ident connection. Also, it
> looks like I have a workaround now. I'll still appreciate it if someone
> can give me more details on what is going on, though. Also, what exactly
> are the consequences of disabling rfc1413 queries?

The real problem is that the system the other end got impatient
waiting for your banner, which took a while because you were doing an
ident query back to them, and they don't support it and don't reject
the packet properly. It's their problem not yours, but you've found a
workaround.

2 issues with disabling idents :

1. You won't be able to log whatever token a remote server might want
to send you in its ident reply - which in the occasional case might be
requested as part of an abuse investigation. So rare it's not worth
bothering with (IMHO).

2. Sometimes the ident is a dead giveaway for a comprimised proxy. But
to make use of this you need to code up ACLs to deal with it, and if
you haven't then it's not useful for you.

If either of these issues concerns you, Instead of disabling idents
completely you could simply exclude the troublesome hosts using
'rfc1413_hosts'

Peter


--
Peter Bowyer
Email: peter@???