Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Robert Schetterer (robertschetterer.org)
Date: Mon Jul 23 2007 - 15:44:38 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Ralf Hildebrandt schrieb:
> * Mark Martinec <Mark.Martinec+postfixijs.si>:
>> More likely than not you are stumbling across some other PIX "esmtp fixup"
>> issue, where the Postfix workaround does not help. Here is one that
>> is 'promising':
>> Certain SMTP messages cannot be sent through ASA with 'inspect esmtp' on
>> (btw, does anyone have more information on this one?)
> Indeed, I've been sniffing the content and the "other side" doesn't
> even accept anything beyon the first few header line.
>> If you can establish a communication with the administrator on the receiving
>> side, it would be most helpful to see what their firewall log shows.
> Yes, I'll try that.
>> I had a case with just these symptoms a few months ago. Because the remote
>> side had a backup MX relay at their provider's site (before the PIX),
>> it could be demonstrated that their PIX tears down the TCP session
>> (without a FIN or ICMP or any other indication), regardless of whether
>> out mail was being delivered to them directly from us, or indirectly
>> from their MX relay. It suggests the reason for a disconnect may lie
>> purely in the mail contents (RFC 2822) and not in the SMTP protocol;
>> perhaps a long mail header field.
> I haven't postcat'ed our mails (yet).
>> At that time about a dozen of messages were in our mail queue, failing
>> with every retry.
> Same here.
>> These messages had both the DomainKeys and well as a DKIM
>> signature (which span a couple of lines each).
> AH! That could be a reason.
>> When I removed a DomainKeys
>> header field (but kept a DKIM signature) and resent them, all but two of
>> these messages delivered cleanly right away, but not the remaining two.
>> When I took the DKIM signature out too, these two stubborn messages
>> were delivered at last.
> I'll have a look at that as well.
>> I was able to persuade the remote site to turn off the 'esmtp fixup'
>> in their PIX, and I re-sent the original mesages a second time - they
>> went through cleanly. Unfortunately I was not able to get into a direct
>> contant with their firewall administrator, so it remains unknown what
>> was the exact reason for disconnects - my wild guess is: long folded
>> header fields.
> Probably. My observations corellate with my introduction of the DKIM
If dkim is involved, is there a chance to use some map/list with milter
postfix not to include the sig outgoing to special ips/servers ?
Mit freundlichen Gruessen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----