Date: Fri, 02 Apr 2010 10:12:33 -0400 From: Jon Radel <jon@radel.com> To: freebsd-questions@freebsd.org Subject: Re: Sendmail Five Second Greeting Delay Message-ID: <4BB5FB51.60207@radel.com> In-Reply-To: <p2y2daa8b4e1004020533u16d3c5a5hc48eb7ec4ceea7b8@mail.gmail.com> References: <201004011751.27767.npapke@acm.org> <4BB58AC2.50009@infracaninophile.co.uk> <p2y2daa8b4e1004020533u16d3c5a5hc48eb7ec4ceea7b8@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms060303050904010303000403 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable On 4/2/10 8:33 AM, David Allen wrote: > Secondly, it seems the cause of the OP's problem was a delay associated= > with an IDENT query. Specificially > > confTO_IDENT Timeout.ident [5s] The timeout waiting for a > response to an IDENT query. > > If he had local DNS configured, there would be no query, and therefore = no > issue, but setting the timeout to 0 seconds using > > define(`confTO_IDENT', 0s) > > does remove the delay, but not the underlying problem. You sure? IDENT has nothing to do with DNS, and I don't know of any=20 program that does an IDENT query solely if DNS data is not available. I = can't see why that would make any sense. What is most likely the OP's root problem is that he's sending e-mail=20 from a machine that's on the other side of a firewall that blocks IDENT=20 traffic but doesn't actively reject it. So sendmail has to sit around=20 and wait for the query to time out. This is why there's a school of thought that even if your default for=20 firewall configuration is to quietly drop unwanted packets, IDENT is a=20 protocol that you should actively reject. It makes things move along=20 more quickly. > > Put another way, I'm wondering why IDENT queries are made? My knowledg= e > of that protocol is superficial, but my understanding is that running a= n > identity service is widely considered a security problem. FreeBSD does= n't > run identd by default, for example, but it's possible that some Linux > distros do. The Wikipedia article suggests "It's an IRC thing", but th= at > doesn't address the default sendmail behavior. Things can make more sense when you realize that TCP/IP networks have=20 changed over the years. Long ago, when dinosaurs roamed the earth, and=20 timesharing servers were big things with professional admins and lots of = users, it could be helpful to know that if you got an irritating=20 connection from the Math Dept. server using source port X, and IDENT=20 said the owner of the process that was using port X was a user called=20 Jimbob, that you could go to the admin of that server and tell him to=20 slap Jimbob upside the head. After all, if his IDENT server had been=20 subverted, he would have mentioned it when you had a beer with him last=20 night. These days, when so much traffic comes from individual workstations=20 where the user can frequently arrange for an IDENT server to return any=20 fool information they want, if they have it running at all, the value=20 added is much less. Do remember that some of these things date from back when Linus was=20 still in diapers (well, actually, he was about 15 when the earliest RFC=20 with the genesis of IDENT was published), so trying to figure out why=20 they make sense based solely on what Linux does can be futile. ;-) --=20 --Jon Radel jon@radel.com --------------ms060303050904010303000403--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BB5FB51.60207>