[ale] Odd network behavior

Bob Toxen transam at verysecurelinux.com
Sun Jun 26 18:17:56 EDT 2005 

On Sun, Jun 26, 2005 at 07:06:48AM -0400, David Corbin wrote:
> I've been having a problem for sometime that I'm at a bit of loss to 
> figure out.  I have one Windows box (use by she who must be obeyed) that 
> is "challenged" with regard to sending email.  She's using Thunderbird, 
> and *sometime*, when send an email, the status dialog "sending email" is 
> left on screen for 'a long time' (~30 seconds).  It usually succeeds 
> eventually.  However, sometimes (< half the time), it's nearly 
> instantaneous. It seems like it might be a DNS problem, but EVERY time I 
> try to diagnose it as a DNS problem (using ping), it has no problems.  
> I've also tried "telnet smtp 25" without any problems.
Does your Linux firewall respond to the "ident" (a.k.a. "auth") requests
that the mail server receiving mail almost certainly is sending?  Is the
delay almost always either 30 seconds or 300 seconds (the common timeouts
for ident)?

Tro enabling reply to idents.  (To see if this is a problem, use tcpdump
or Ethereal to monitor traffic or just check your firewall's logs to see
if it is receiving idents (to TCP port 113) from the mail server that mail
is being sent to.)

In the likely case that you send all outgoing email to your ISP's specified
mail server, likely that host name is shared by multiple machines.  Some of
them timeout after 30 seconds and some don't bother -- which would indicate
sloppiness at the ISP but that's SOP.  If you're NOT required to send to
your ISP's mail server (unlikely and very sloppy on their part) then see
if there's a correlation of delay to which addresses mail is sent to.

Of course, if this is the problem then this problem is present regardless
of which system behind the firewall is sending.

> More info on my set up.
> I'm running exim 4 on  linux box, which is sitting on the far side of a 
> Linux firewall (i.e., to the server, the address has been NAT-obscured)
> It's *possible* this problem happens for other clients on my LAN behind 
> the firewall, but I use KMail elsewhere so it's not visible.

> Any tips or ideas?
> David

Best regards,

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.
d/b/a Horizon Network Security
"Your expert in Firewalls, Virus and Spam Filters, VPNs,
Network Monitoring, and Network Security consulting"

http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"]
http://www.verysecurelinux.com/sunset.html                    [Sunset Computer]
bob at verysecurelinux.com (e-mail)

Author,
"Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
2nd Ed., Prentice Hall, (C) 2003, 848 pages, ISBN: 0130464562
Also available in Japanese, Chinese, Czech, and Polish.

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke

Public key available at http://www.verysecurelinux.com/pubkey.txt, keyservers,
  and on the CD-ROM that comes sealed and attached to Real World Linux Security
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at realworldlinuxsecurity.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21

More information about the Ale mailing list