*** ./src/util/sane_accept.c-	Sat Mar 10 18:04:36 2007
--- ./src/util/sane_accept.c	Tue May  1 08:43:41 2007
***************
*** 106,113 ****
       * socket. Turning on keepalives will fix a blocking socket provided that
       * the kernel's keepalive timer expires before the Postfix watchdog
       * timer.
       */
- #if defined(BROKEN_READ_SELECT_ON_TCP_SOCKET) && defined(SO_KEEPALIVE)
      else if (sa && (sa->sa_family == AF_INET
  #ifdef HAS_IPV6
  		    || sa->sa_family == AF_INET6
--- 106,116 ----
       * socket. Turning on keepalives will fix a blocking socket provided that
       * the kernel's keepalive timer expires before the Postfix watchdog
       * timer.
+      * 
+      * XXX Work around NAT induced damage by sending a keepalive before an idle
+      * connection is expired. This requires that the kernel keepalive timer
+      * is set to a short time, like 100s.
       */
      else if (sa && (sa->sa_family == AF_INET
  #ifdef HAS_IPV6
  		    || sa->sa_family == AF_INET6
***************
*** 118,123 ****
  	(void) setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE,
  			  (char *) &on, sizeof(on));
      }
- #endif
      return (fd);
  }
--- 121,125 ----
*** ./src/util/sane_connect.c-	Sun Oct 12 12:07:53 2003
--- ./src/util/sane_connect.c	Tue May  1 08:44:33 2007
***************
*** 50,63 ****
       * socket. Turning on keepalives will fix a blocking socket provided that
       * the kernel's keepalive timer expires before the Postfix watchdog
       * timer.
       */
- #if defined(BROKEN_READ_SELECT_ON_TCP_SOCKET) && defined(SO_KEEPALIVE)
      if (sa->sa_family == AF_INET) {
  	int     on = 1;
  
  	(void) setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE,
  			  (char *) &on, sizeof(on));
      }
- #endif
      return (connect(sock, sa, len));
  }
--- 50,65 ----
       * socket. Turning on keepalives will fix a blocking socket provided that
       * the kernel's keepalive timer expires before the Postfix watchdog
       * timer.
+      * 
+      * XXX Work around NAT induced damage by sending a keepalive before an idle
+      * connection is expired. This requires that the kernel keepalive timer
+      * is set to a short time, like 100s.
       */
      if (sa->sa_family == AF_INET) {
  	int     on = 1;
  
  	(void) setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE,
  			  (char *) &on, sizeof(on));
      }
      return (connect(sock, sa, len));
  }