|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Robert Schetterer (robert
schetterer.org)
Date: Mon Jul 23 2007 - 15:44:38 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ralf Hildebrandt schrieb:
> * Mark Martinec <Mark.Martinec+postfixijs.si>:
>
>> More likely than not you are stumbling across some other PIX "esmtp fixup"
>> issue, where the Postfix workaround does not help. Here is one that
>> is 'promising':
>>
>> CSCsg52277
>> Certain SMTP messages cannot be sent through ASA with 'inspect esmtp' on
>>
>> http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn722.html
>> (btw, does anyone have more information on this one?)
>
> Indeed, I've been sniffing the content and the "other side" doesn't
> even accept anything beyon the first few header line.
>
>> If you can establish a communication with the administrator on the receiving
>> side, it would be most helpful to see what their firewall log shows.
>
> Yes, I'll try that.
>
>> I had a case with just these symptoms a few months ago. Because the remote
>> side had a backup MX relay at their provider's site (before the PIX),
>> it could be demonstrated that their PIX tears down the TCP session
>> (without a FIN or ICMP or any other indication), regardless of whether
>> out mail was being delivered to them directly from us, or indirectly
>> from their MX relay. It suggests the reason for a disconnect may lie
>> purely in the mail contents (RFC 2822) and not in the SMTP protocol;
>> perhaps a long mail header field.
>
> I haven't postcat'ed our mails (yet).
>
>> At that time about a dozen of messages were in our mail queue, failing
>> with every retry.
>
> Same here.
>
>> These messages had both the DomainKeys and well as a DKIM
>> signature (which span a couple of lines each).
>
> AH! That could be a reason.
>
>> When I removed a DomainKeys
>> header field (but kept a DKIM signature) and resent them, all but two of
>> these messages delivered cleanly right away, but not the remaining two.
>> When I took the DKIM signature out too, these two stubborn messages
>> were delivered at last.
>
> I'll have a look at that as well.
>
>> I was able to persuade the remote site to turn off the 'esmtp fixup'
>> in their PIX, and I re-sent the original mesages a second time - they
>> went through cleanly. Unfortunately I was not able to get into a direct
>> contant with their firewall administrator, so it remains unknown what
>> was the exact reason for disconnects - my wild guess is: long folded
>> header fields.
>
> Probably. My observations corellate with my introduction of the DKIM
> milter.
>
If dkim is involved, is there a chance to use some map/list with milter
postfix not to include the sig outgoing to special ips/servers ?
- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer
https://www.schetterer.org
Germany
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFGpRM2fGH2AvR16oERAnvEAJ4mwWms0yBa0IbMdPF5x4TBd4XSygCdGTk6
vmoVLS1ErwGBft7JA68oa3s=
=K7Pj
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]