From owner-freebsd-hackers Sat Nov 18 0:19:37 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from zibbi.icomtek.csir.co.za (zibbi.icomtek.csir.co.za [146.64.24.58]) by hub.freebsd.org (Postfix) with ESMTP id 17F2337B479 for ; Sat, 18 Nov 2000 00:19:33 -0800 (PST) Received: (from jhay@localhost) by zibbi.icomtek.csir.co.za (8.11.0/8.11.0) id eAI8J1V20277; Sat, 18 Nov 2000 10:19:01 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <200011180819.eAI8J1V20277@zibbi.icomtek.csir.co.za> Subject: Re: React to ICMP administratively prohibited ? In-Reply-To: <20001117211013.C9227@skriver.dk> from Jesper Skriver at "Nov 17, 2000 09:10:13 pm" To: jesper@skriver.dk (Jesper Skriver) Date: Sat, 18 Nov 2000 10:19:01 +0200 (SAT) Cc: hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > I'm currently looking at how various operating systems react to a 'ICMP > administratively prohibited'. > > My motivation is setup's where access to the primary mailserver is > blocked by filters (usually to block open relay's), and all mail has to > go via the backup MX, a example from a customer of ours. > > jesper@freesbee$ host -t mx nemo.dyndns.dk > nemo.dyndns.dk mail is handled (pri=10) by nemo.dyndns.dk > nemo.dyndns.dk mail is handled (pri=20) by backup-mx.post.tele.dk > > Here we block access to tcp/25 on nemo.dyndns.dk (a ADSL users), but > provide a backup MX for him to use, but when a mailserver wants to send > mail to him, they will experience a timeout before sending the mail to > backup-mx.post.tele.dk, which can send the mail onwards to > nemo.dyndns.dk. You can also solve the problem another way. You can remove the MX for the customer machine, so that your backup-mx is the prefered MX for his mail. Then on backup-mx you can add a mailertable entry to direct the mail to his machine. Something like: nemo.dyndns.dk smtp:[nemo.dyndns.dk] The square brackets are needed to tell sendmail not to do MX lookups again. Or if you don't want to use mailertables, you can set the confTRY_NULL_MX_LIST variable to true. This way you don't have to worry how someone else's machine is going to handle those icmp packets. John -- John Hay -- John.Hay@icomtek.csir.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message