Re: Sendmail Five Second Greeting Delay
- From: David Allen <the.real.david.allen@xxxxxxxxx>
- Date: Fri, 2 Apr 2010 04:33:09 -0800
On 4/1/10, Matthew Seaman wrote:
On 02/04/2010 01:51:27, Norbert Papke wrote:
When I connect to sendmail on a local interface, sendmail responds to the
connection with its "220" greeting immediately. If I connect to sendmail
from
another machine on my (home) LAN, sendmail delays five seconds before
sending
the greeting. I would like it to respond immediately.
A quick search turned up a "greet_delay" feature in sendmail that would
cause
this type of behavior. To the best of my knowledge, I do not use this
feature. Just to be sure, I tried to explicitly enable it with both a
default
0 second timeout and an explicit 0 second access rule. This did not the
resolve the issue.
For the sake of the archives, I'd like to note that the `greet_pause'
feature is actually a pretty effective and very cheap to implement
anti-spam measure. You need:
FEATURE(greet_pause, `5000')dnl ## 5 seconds
in your $(hostname).mc file -- this gives you a default 5 second delay.
If you also have
FEATURE(`access_db')
you can override that value for particular IP ranges or domain names.
This is also a handy addition to the .mc file:
LOCAL_RULESETS
SLocal_greet_pause
R$* $: $&{daemon_flags}
R$* a $* $# 0
This turns off greet_pause on network ports where authentication is
required, ie. if you use port 587 for submitting new mail and reserve
port 25 for MTA to MTA mail transfers.
The way this works is that it requires the sending side to wait until
your system prints out the greeting banner. If the sending side starts
speaking before then, sendmail will refuse to accept any mail during
that session. All real MTAs will get this right, as it is part of the
SMTP specification in the RFCs. Many spambots on the other hand, send
e-mail by simply replaying one side of a recorded SMTP conversation
without reguard for what the other side says. This feature weeds out
that sort of spambot with very little effort.
Useful reading. Two questions ...
First, I'm wondering what is logged as a result of using greet_pause when
getting slammed by a bot. Is it something along the lines of "User did
not issue...", "LA LA LA I wasn't listening", or nothing at all?
Secondly, it seems the cause of the OP's problem was a delay associated
with an IDENT query. Specificially
confTO_IDENT Timeout.ident [5s] The timeout waiting for a
response to an IDENT query.
If he had local DNS configured, there would be no query, and therefore no
issue, but setting the timeout to 0 seconds using
define(`confTO_IDENT', 0s)
does remove the delay, but not the underlying problem.
Put another way, I'm wondering why IDENT queries are made? My knowledge
of that protocol is superficial, but my understanding is that running an
identity service is widely considered a security problem. FreeBSD doesn't
run identd by default, for example, but it's possible that some Linux
distros do. The Wikipedia article suggests "It's an IRC thing", but that
doesn't address the default sendmail behavior.
Thanks.
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: Sendmail Five Second Greeting Delay
- From: Matthew Seaman
- Re: Sendmail Five Second Greeting Delay
- From: Jon Radel
- Re: Sendmail Five Second Greeting Delay
- References:
- Sendmail Five Second Greeting Delay
- From: Norbert Papke
- Re: Sendmail Five Second Greeting Delay
- From: Matthew Seaman
- Sendmail Five Second Greeting Delay
- Prev by Date: Re: Sendmail Five Second Greeting Delay
- Next by Date: Re: Sendmail Five Second Greeting Delay
- Previous by thread: Re: Sendmail Five Second Greeting Delay
- Next by thread: Re: Sendmail Five Second Greeting Delay
- Index(es):
Relevant Pages
|
