More info...

Post #89,438

3/19/03 12:27:29 PM

More info...

Well, it seems that to most of the world, my box is up and running and looks fine. But my Exchange 2000 server at work still won't talk to it..getting messages in the exim log to the effect of "SMTP command timeout"...meaning Exchange isn't getting a timely response, and so isn't sending any commands, even though the TCP connection is OK.

When I telnet:25 from work, I can pretty typically produce the following scenario (my typing is in bold):

ehlo amor.org mail from: fumanchu@amor.org rcpt to: fumanchu@aminus.net data subject: another test from: fumanchu@amor.org te220 mp5.aminus.net ESMTP Exim 3.36 #1 Wed, 19 Mar 2003 09:16:37 -0800 s250-mp5.aminus.net Hello amor.org [63.200.221.34] 250-SIZE 250-PIPELINING 250 HELP 250 <fumanchu@amor.org> is syntactically correct 250 <fumanchu@aminus.net> verified 354 Enter message, ending with "." on a line by itself t78 . 250 OK id=18vhB7-0001Bc-00 quit

So...exim is waiting...the only thing I can guess at is that it is doing some sort of DNS lookup on my sending IP, but failing, even though exchange2.amor.org [63.200.221.34] is the lowest-cost MX for amor.org. I *believed* I had turned that off, but I must have missed something. I'll post my exim.conf if anyone wants to see it.

Anyway, the only reason I bring it up here instead of some exim mail list is that I'm not convinced the problem is with exim. My first thoughts were ipchains/netfilter (but my kernel's not set up for that), and then tcpd (i.e. hosts.allow/deny, but I'm not using inetd to start exim). So my question is, is there another layer somewhere that could be filtering this traffic on my box that I don't know about?

Many fears are born of stupidity and ignorance -
Which you should be feeding with rumour and generalisation.
BOfH, 2002 "Episode" 10

Post #89,784

by tseliot

3/20/03 1:13:14 PM

Interim answer

My Exchange server here at work is behind a PIX, and then a Nexland DSL router with firewalling capabilities. At first I thought the PIX "fixup smtp" might be damaging the conversation somehow, but of course I turned that off long ago (and it shouldn't affect outbound anyway).

Answer: The Nexland has a setting:

Allow IDENT Port []Enable []Disable Note: Makes port 113 seem closed, not stealth

Setting this to 'Enable' fixed the problem.

I still need to find out now how to get Exim to not care whether this is set or not, because I'm sure I'm not the only one who has had this set, and I'd rather not miss anyone else's valid mail.

Many fears are born of stupidity and ignorance -
Which you should be feeding with rumour and generalisation.
BOfH, 2002 "Episode" 10

Post #90,227

by tseliot

3/21/03 11:38:56 PM

Final answer

There's a setting for your exim.conf file to fix this for all hosts:

rfc1413_query_timeout = 0s

"0s" turns identd probing off completely. I know because I had to make a mad dash just now to get Papa John's email server to actually speak to me. :)

Mmmmm. Italian sausage....

Many fears are born of stupidity and ignorance -
Which you should be feeding with rumour and generalisation.
BOfH, 2002 "Episode" 10

Post #90,237

by folkert

3/21/03 11:44:58 PM

Schweet...

You rock!

b4k4^2

[link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT

[link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] [link|http://pascal.rockford.com:8888/SSK@kQMsmc74S0Tw3KHQiRQmDem0gAIPAgM/edcurry/1//|ED'S GHOST SPEAKS!]

[link|http://www.eweek.com/article2/0,3959,857673,00.asp|Writing on wall, Microsoft to develop apps for Linux by 2004]

Heimatland Geheime Staatspolizei reminds:
These [link|http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf|Civilian General Orders], please memorize them.
"Questions" will be asked at safety checkpoints.

Welcome to IWETHEY!