From: Simon Crowther (SCrowthe@msxi-euro.com)
Date: Wed Jan 15 2003 - 05:00:29 EST
Thankyou to all those who have responded so far..
There seems to be some mixed feelings on this one, I will try and
clarify the symptoms..
This does not just affect Postfix.
when you telnet to the machine, there is a three min delay before the
login prompt is displayed
when you add an entry into /etc/hosts for the machine you are
telnetting from, there is no delay.
when you sniff the local network whilst trying to telnet to the machine
(without /etc/hosts entry) you can see the machine repeatedly attempt
reverse lookups, this lasts approx 3 mins, then the machine gives up and
issues the login prompt anyway. (so what was the point in the
lookup?????)
I suspect this is causing lost connections to mail connections that
don't reverse lookup due to some smtp client timeout value that is sub
3mins (as the machine wastes 3mins trying to lookup the connection) (the
connection is lost within a minute)
My DNS is not misconfigured
Postfix is not doing reverse lookups. with some tests I have performed,
Postfix has not even been running, and in any case how could postfix
affect a telnet connection to port 23????
/etc/nsswitch is configured "files dns"
/etc/resolve.conf points to our DMZ DNS server this server can reverse
lookup internet clients.
The connections that are lost get logged by Postfix, I have taken
random entries and tried to reverse lookup the IP Addresses, they all
fail to match! this is not uncommon, it is also not a reason why I
should not accept mail from them (they are after all our Customers!)
Sendmail has been removed...
the server has been secured by JASS.
It has been suggested by Simon Convey & Guy Purcell that TCPWrappers
may be playing its part in this, I thought I was on to a winner here,
If memory serves me correct, the Advanced config of TCP Wrappers will
perform the lookup for all connections under its control if compiled
that way.
I have checked inetd.conf, and it appears that TCP Wrappers is not
installed (a colleague built this server, he placed a precompiled
tcpwrappers binary in his home area, but I now believe he never deployed
it - other evidence of this is that hosts.allow & hosts.deny do not
exist either)
I had an interesting response from Ric Andrson, who appears to have
experienced the same "feature".. can anyone comment on this (below)
This could be a "change in the interest of security" made by Sun to
gethostbyaddr(). Sun exhanced gethostbyaddr() to do a gethostbyname()
and then return "no DNS entry" if the address from gethostbyname
didn't
match the address you fed gethostbyaddr(). I reported this as Sun
case#63312495. Sun is sticking by "we're doing this for your good"
and
refused to remove the cross check.
So if gethostbyname(gethostbyaddr(IP)) != IP gethostbyaddr returns
"nothing found", just as if there were no PTR record in DNS.
As a result of this nonsense, I'm looking at migrating the non vendored
apps
to PC/Linux. Vendored apps (like HP OpenView) have to run on Solaris
or
Windows or HP/UX, so I don't know what we're going to do about those,
since
we don't have any HP/UX boxes or spare Window's boxes.
I'm not sure if gethostbyname() does this same cross check or not.
Cheers,
Ric Anderson
If anyone can shed any light on this, it would be greatly appreciated.
(BTW you are all coming through a different mail server to me here
(temp solution), so I should get all responses in case some of you were
wondering)
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:25:36 EDT