On 1/25/07, Stephen Gran <steve@???> wrote:
>
>
> You don't show the timestamps on the packets, so I can't say for sure,
> but how long between handshake and FIN? They may have a callout set up
> with a timeout shorter than it takes your server to send the banner
> (e.g., if you use delays before the banner is up, or you do rDNS checks,
> or anything else). Knowing that the whole conversation happened roughly
> immediately would rule that out, or provide another avenue for
> investigation.
Ok, here's a dump of the whole log:
No. Time Source Destination Protocol
> Info
> 1 0.000000 198.144.198.191 209.51.152.98 TCP
> 4500 > smtp [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=78345384 TSER=0
> WS=0
> 2 0.092229 209.51.152.98 198.144.198.191 TCP
> smtp > 4500 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
> 3 0.092342 198.144.198.191 209.51.152.98 TCP
> 4500 > smtp [ACK] Seq=1 Ack=1 Win=5840 Len=0
> 4 0.186294 209.51.152.98 198.144.198.191 TCP
> 40768 > auth [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460
> 5 0.186380 198.144.198.191 209.51.152.98 ICMP
> Destination unreachable
> 6 0.280798 209.51.152.98 198.144.198.191 SMTP
> Response: 220-river.securenet-server.net ESMTP Exim 4.63 #1 Wed, 24 Jan
> 2007 13:34:3
> 6 -0500
> 7 0.280882 198.144.198.191 209.51.152.98 TCP
> 4500 > smtp [ACK] Seq=1 Ack=185 Win=6432 Len=0
> 8 0.281210 198.144.198.191 209.51.152.98 SMTP
> Command: HELO syzygy.com
> 9 0.377053 209.51.152.98 198.144.198.191 TCP
> smtp > 4500 [ACK] Seq=185 Ack=18 Win=5840 Len=0
> 10 0.377683 209.51.152.98 198.144.198.191 SMTP
> Response: 250 river.securenet-server.net Hello syzygy.com [198.144.198.191
> ]
> 11 0.377908 198.144.198.191 209.51.152.98 SMTP
> Command: MAIL FROM:<eric@???>
> 12 0.472850 209.51.152.98 198.144.198.191 SMTP
> Response: 250 OK
> 13 0.473057 198.144.198.191 209.51.152.98 SMTP
> Command: RCPT TO:<mark@???>
> 14 0.608652 209.51.152.98 198.144.198.191 TCP
> smtp > 4500 [ACK] Seq=260 Ack=86 Win=5840 Len=0
> 15 2.045787 209.51.152.98 198.144.198.191 TCP
> 40774 > smtp [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460
> 16 2.045896 198.144.198.191 209.51.152.98 TCP
> smtp > 40774 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
> 17 2.138202 209.51.152.98 198.144.198.191 TCP
> 40774 > smtp [ACK] Seq=1 Ack=1 Win=5840 Len=0
> 18 2.258134 198.144.198.191 209.51.152.98 TCP
> 4501 > auth [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=78345610 TSER=0
> WS=0
> 19 5.250159 198.144.198.191 209.51.152.98 TCP
> 4501 > auth [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=78345910 TSER=0
> WS=0
> 20 11.250251 198.144.198.191 209.51.152.98 TCP
> 4501 > auth [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=78346510 TSER=0
> WS=0
> 21 23.250406 198.144.198.191 209.51.152.98 TCP
> 4501 > auth [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=78347710 TSER=0
> WS=0
> 22 32.138342 209.51.152.98 198.144.198.191 TCP
> 40774 > smtp [FIN, ACK] Seq=1 Ack=1 Win=5840 Len=0
> 23 32.139131 209.51.152.98 198.144.198.191 SMTP
> Response: 451 Could not complete sender verify callout
> 24 32.139318 198.144.198.191 209.51.152.98 SMTP
> Command: QUIT
> 25 32.139481 198.144.198.191 209.51.152.98 TCP
> 4500 > smtp [FIN, ACK] Seq=92 Ack=306 Win=6432 Len=0
> 26 32.140521 198.144.198.191 209.51.152.98 TCP
> smtp > 40774 [ACK] Seq=1 Ack=2 Win=5840 Len=0
> 27 32.233483 209.51.152.98 198.144.198.191 TCP
> smtp > 4500 [ACK] Seq=306 Ack=92 Win=5840 Len=0
> 28 32.233933 209.51.152.98 198.144.198.191 SMTP
> Response: 221 river.securenet-server.net closing connection
> 29 32.234026 198.144.198.191 209.51.152.98 TCP
> [TCP Keep-Alive] 4500 > smtp [RST] Seq=92 Ack=1150951851 Win=0 Len=0
> 30 32.235117 209.51.152.98 198.144.198.191 TCP
> smtp > 4500 [FIN, ACK] Seq=357 Ack=92 Win=5840 Len=0
> 31 32.235187 198.144.198.191 209.51.152.98 TCP
> [TCP Keep-Alive] 4500 > smtp [RST] Seq=92 Ack=1150951851 Win=0 Len=0
> 32 32.235199 209.51.152.98 198.144.198.191 TCP
> smtp > 4500 [ACK] Seq=358 Ack=93 Win=5840 Len=0
> 33 32.235235 198.144.198.191 209.51.152.98 TCP
> 4500 > smtp [RST] Seq=93 Ack=1150951851 Win=0 Len=0
> 34 32.251645 198.144.198.191 209.51.152.98 SMTP
> Response: 220 syzygy.com ESMTP
> 35 32.251772 198.144.198.191 209.51.152.98 TCP
> smtp > 40774 [FIN, ACK] Seq=23 Ack=2 Win=5840 Len=0
> 36 32.345273 209.51.152.98 198.144.198.191 TCP
> 40774 > smtp [RST] Seq=2 Ack=2978285068 Win=0 Len=0
> 37 32.345853 209.51.152.98 198.144.198.191 TCP
> 40774 > smtp [RST] Seq=2 Ack=2978285068 Win=0 Len=0
It looks like there's a 30 second delay between their ACK and their FIN
ACK. I didn't think I'd configured a delay into my smtp server, but I'll go
look.
I turned off reverse DNS lookups when I was having problems getting mail
from a misconfigured domain, so that shouldn't be it.
Is 30 seconds too short to wait on their part? If everyone waited until
near the end of the maximum allowable delay to answer, sender verification
could never work.
-eric
