From owner-freebsd-questions@FreeBSD.ORG Fri Apr 2 12:33:11 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BCED106566C for ; Fri, 2 Apr 2010 12:33:11 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from mail-yw0-f171.google.com (mail-yw0-f171.google.com [209.85.211.171]) by mx1.freebsd.org (Postfix) with ESMTP id BBC678FC0A for ; Fri, 2 Apr 2010 12:33:10 +0000 (UTC) Received: by ywh1 with SMTP id 1so1290084ywh.3 for ; Fri, 02 Apr 2010 05:33:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=A64kKjo24vRw8AVZWEm5Uek5+AFQX3sjEVyHTP1330Y=; b=A0NW/fA5lST4491mcewptwx11rqTh4kcB2h6h6Xo4mshKTaoA+qmtmi9hwb22BSMQE /eAdIEHKzXClWsaliaPjlwTUXEzJFKYMRqCWddBqFVE6px4Lxu+Xvs6vbTDfQd7H7DmW EcLiqAZFSvfU8sF8P5xFQJaaabdXv2Pl5JqHg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=pib+fYsJGZC64dBh3MBIX4j5Y8Yiy3KExTk0lpdiry+Z6UxP94x/DjWyDGSw17CvQB qFPiFQThQiqpZO7tFBne0I95n66Xe5qvqe9F27ZIYxJHC7XDDF3Icr6gbFQNFSUy8lRN ZjF9JVFCySyTIhEHKNPqMLfxTQYlxCJm6va/s= MIME-Version: 1.0 Received: by 10.231.157.70 with HTTP; Fri, 2 Apr 2010 05:33:09 -0700 (PDT) In-Reply-To: <4BB58AC2.50009@infracaninophile.co.uk> References: <201004011751.27767.npapke@acm.org> <4BB58AC2.50009@infracaninophile.co.uk> Date: Fri, 2 Apr 2010 04:33:09 -0800 Received: by 10.150.127.5 with SMTP id z5mr2620857ybc.275.1270211589986; Fri, 02 Apr 2010 05:33:09 -0700 (PDT) Message-ID: From: David Allen To: Matthew Seaman Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail Five Second Greeting Delay X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2010 12:33:11 -0000 On 4/1/10, Matthew Seaman wrote: > > On 02/04/2010 01:51:27, Norbert Papke wrote: >> When I connect to sendmail on a local interface, sendmail responds to the >> connection with its "220" greeting immediately. If I connect to sendmail >> from >> another machine on my (home) LAN, sendmail delays five seconds before >> sending >> the greeting. I would like it to respond immediately. > >> A quick search turned up a "greet_delay" feature in sendmail that would >> cause >> this type of behavior. To the best of my knowledge, I do not use this >> feature. Just to be sure, I tried to explicitly enable it with both a >> default >> 0 second timeout and an explicit 0 second access rule. This did not the >> resolve the issue. > > For the sake of the archives, I'd like to note that the `greet_pause' > feature is actually a pretty effective and very cheap to implement > anti-spam measure. You need: > > FEATURE(greet_pause, `5000')dnl ## 5 seconds > > in your $(hostname).mc file -- this gives you a default 5 second delay. > If you also have > > FEATURE(`access_db') > > you can override that value for particular IP ranges or domain names. > > This is also a handy addition to the .mc file: > > LOCAL_RULESETS > SLocal_greet_pause > R$* $: $&{daemon_flags} > R$* a $* $# 0 > > This turns off greet_pause on network ports where authentication is > required, ie. if you use port 587 for submitting new mail and reserve > port 25 for MTA to MTA mail transfers. > > The way this works is that it requires the sending side to wait until > your system prints out the greeting banner. If the sending side starts > speaking before then, sendmail will refuse to accept any mail during > that session. All real MTAs will get this right, as it is part of the > SMTP specification in the RFCs. Many spambots on the other hand, send > e-mail by simply replaying one side of a recorded SMTP conversation > without reguard for what the other side says. This feature weeds out > that sort of spambot with very little effort. Useful reading. Two questions ... First, I'm wondering what is logged as a result of using greet_pause when getting slammed by a bot. Is it something along the lines of "User did not issue...", "LA LA LA I wasn't listening", or nothing at all? Secondly, it seems the cause of the OP's problem was a delay associated with an IDENT query. Specificially confTO_IDENT Timeout.ident [5s] The timeout waiting for a response to an IDENT query. If he had local DNS configured, there would be no query, and therefore no issue, but setting the timeout to 0 seconds using define(`confTO_IDENT', 0s) does remove the delay, but not the underlying problem. Put another way, I'm wondering why IDENT queries are made? My knowledge of that protocol is superficial, but my understanding is that running an identity service is widely considered a security problem. FreeBSD doesn't run identd by default, for example, but it's possible that some Linux distros do. The Wikipedia article suggests "It's an IRC thing", but that doesn't address the default sendmail behavior. Thanks.