sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

Post by nob.. » Thu, 04 Oct 2001 00:06:10



Hi:
        My P-150 (FBSD 4.1) acts as a nat box and runs sendmail and pop server.
It's worked pretty good for a year or so, but now connections to the mail
server are SLOW. I don't think this is DNS related, dig's to the first few
nameservers in resolv.conf are quite snappy and web browsing through the nat
interface works well (still). So I'm a little stumped as to what could be
wrong, nothing has been changed, DNS is working, why is the mail server so
SLOW? I realize there is not a lot to chew on here, but just fishing for ideas,
has anyone out there had similar experiences and if so, what was the problem,
solution? Also, the syslogs show little or no load on the machine, the outside
interface is tied by 10BaseT to a cable modem, the inside interface is tied
to a wireless LAN via a second 10BaseT connection. As I said, all has been
working and still does, but Sendmail is SLOWed considerably, even a telnet 25
takes 30-40 seconds to get the welcome prompt. Any ideas would be helpful!

--
Steve S.


remove NOSPAM before replying

 
 
 

sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

Post by Dan Luke » Sat, 06 Oct 2001 11:13:02


 > Sendmail is SLOWed considerably, even a telnet 25
 > takes 30-40 seconds to get the welcome prompt.

        If the sendmail delay initial responses only, it's right time to check
avaibility of reverse mapping of client IP address or it is problem
related to IDENT query and (no) response.

                                                Dan

--
Dan Lukes      tel: +420 2 21914205, fax: +420 2 21914206
root  of FIONet,  KolejNET,  webmaster  of www.freebsd.cz


 
 
 

sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

Post by Bill Vermilli » Sun, 07 Oct 2001 00:52:02




> > Sendmail is SLOWed considerably, even a telnet 25
> > takes 30-40 seconds to get the welcome prompt.
> If the sendmail delay initial responses only, it's right time to
>check avaibility of reverse mapping of client IP address or it is
>problem related to IDENT query and (no) response.

I had noticed that there was a default 30s ident delay in the older
sendmail.cf files but it is now 5 seconds.

I've read the identd man pages.  I also see that identd is now
commented out be befault in the /etc/inetd.conf file.

So is ident used much and if so to what purposes.

--

 
 
 

sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

Post by nob.. » Sun, 07 Oct 2001 05:20:02


Thanks Bill & Dan! The box is a serial-console in my ba*t, so I'll
check it tonight. You've both given me some ideas, thanks alot. I'll
go down tonight and tunnel in, then watch what happens when my wife
tries to send mail over the wireless LAN. My guess is ps and netstat
will give some clues that the logs are not! Thanks again.




>> > Sendmail is SLOWed considerably, even a telnet 25
>> > takes 30-40 seconds to get the welcome prompt.

>> If the sendmail delay initial responses only, it's right time to
>>check avaibility of reverse mapping of client IP address or it is
>>problem related to IDENT query and (no) response.

>I had noticed that there was a default 30s ident delay in the older
>sendmail.cf files but it is now 5 seconds.

>I've read the identd man pages.  I also see that identd is now
>commented out be befault in the /etc/inetd.conf file.

>So is ident used much and if so to what purposes.

>--


--
Steve S.


remove NOSPAM before replying

 
 
 

sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

Post by Dan Luke » Sun, 07 Oct 2001 10:15:32



> I've read the identd man pages.  I also see that identd is now
> commented out be befault in the /etc/inetd.conf file.

> So is ident used much and if so to what purposes.

        IDENT is good idea for Internet of well configured computers with trusted
administrators and restricted end users. It (unreal) environment allow
us to trust the IDENT responses.

        Real Internet is pile of Windows, mad configured Linuxes with unskilled
administrators and so on. Almost any user can run untrusted itentd and
send any answer he want.

        I can't say the IDENT is useless, but I can say it is totally untrusted
(unless you have control over computer with IDENT server), so running of
IDENT client or server is mostly waste of bandwith.

                                                        Dan

--
Dan Lukes      tel: +420 2 21914205, fax: +420 2 21914206
root  of FIONet,  KolejNET,  webmaster  of www.freebsd.cz

 
 
 

sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

Post by Bill Vermilli » Mon, 08 Oct 2001 00:04:55




>> I've read the identd man pages.  I also see that identd is now
>> commented out be befault in the /etc/inetd.conf file.
>> So is ident used much and if so to what purposes.
> IDENT is good idea for Internet of well configured computers
>with trusted administrators and restricted end users. It (unreal)
>environment allow us to trust the IDENT responses.
> Real Internet is pile of Windows, mad configured Linuxes with
>unskilled administrators and so on. Almost any user can run
>untrusted itentd and send any answer he want.

I've seen more than a couple of 'mad configured Linuxes' and some
were downright scary because the open holes.  So I can see that
side.

Quote:> I can't say the IDENT is useless, but I can say it is totally
>untrusted (unless you have control over computer with IDENT
>server), so running of IDENT client or server is mostly waste of
>bandwith.

In a truested environment just what does give you. eg what are the
advantages.

Bill

--

 
 
 

sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

Post by newt » Mon, 08 Oct 2001 13:03:45



> Hi:
>         My P-150 (FBSD 4.1) acts as a nat box and runs sendmail and pop server.
> It's worked pretty good for a year or so, but now connections to the mail
> server are SLOW. I don't think this is DNS related, dig's to the first few
> nameservers in resolv.conf are quite snappy and web browsing through the nat
> interface works well (still). So I'm a little stumped as to what could be
> wrong, nothing has been changed, DNS is working, why is the mail server so
> SLOW? I realize there is not a lot to chew on here, but just fishing for ideas,
> has anyone out there had similar experiences and if so, what was the problem,
> solution? Also, the syslogs show little or no load on the machine, the outside
> interface is tied by 10BaseT to a cable modem, the inside interface is tied
> to a wireless LAN via a second 10BaseT connection. As I said, all has been
> working and still does, but Sendmail is SLOWed considerably, even a telnet 25
> takes 30-40 seconds to get the welcome prompt. Any ideas would be helpful!

> --
> Steve S.


> remove NOSPAM before replying

Dan and Bill:
    Thanks for the advice,   I did figure it out: It seems that sendmail reads in
resolv.conf when it starts, then never again. The first name server in resolv.conf
went  dead, so I  deleted it. dig and such then worked quite well, so I thought
"DNS is OK". When I  watched while my wife tried to send mail, I noticed that the
sendmail  connections were showing the  dead nameserver's IP  in the ps listing.
I  thought: hmmm, maybe I'll  killall -HUP sendmail, and  now it works! I thought
all programs that use DNS would consult resolve.conf before any lookup, but
apparently that's not  the  case. It's a new one  on me. I don't run inetd or
identd, and  I wasn't aware that sendmail  used identd. Apparently it doesn't
require it. Thanks for the advice and interesting comments!

-Steve

 
 
 

sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

Post by Per Hedela » Mon, 08 Oct 2001 20:28:54




>> I can't say the IDENT is useless, but I can say it is totally
>>untrusted (unless you have control over computer with IDENT
>>server), so running of IDENT client or server is mostly waste of
>>bandwith.

>In a truested environment just what does give you. eg what are the
>advantages.

Well, IDENT is probably the most misunderstood protocol on the Internet,
of course this may in part be to blame on originally calling it AUTH,
since authentication it is not by any means. And to agree with Dan, it
probably doesn't have much use in an Internet dominated by truly
single-user systems running either Windows or a Unix where the only user
has root privileges - not to mention having a "dynamic" IP address that
can only be mapped to a physical or legal entity with the aid of an ISP
(and probably a court order:-).

But anyway, the distribution of the once de-facto standard
implementation, pidentd, includes a pretty good (but very dated)
argumentation for using IDENT, written by Dan Bernstein. It's actually
called "Why TAP", TAP being yet another name for a variant of this
protocol, but the arguments are the same. I couldn't find it on Dan's
web site, but if you go to /usr/ports/security/pidentd and 'make',
you'll find it in work/pidentd-*/doc/why-tap.txt - or on the net as
e.g.: http://www.netsw.org/net/ip/infoservice/ident/doc/why-tap.txt

--Per Hedeland

 
 
 

sendmail SLOWdown (FBSD 4.1 / Sendmail 8.11.0)

Post by Bill Vermilli » Tue, 09 Oct 2001 00:51:45





>>> I can't say the IDENT is useless, but I can say it is totally
>>>untrusted (unless you have control over computer with IDENT
>>>server), so running of IDENT client or server is mostly waste of
>>>bandwith.

>>In a truested environment just what does give you. eg what are the
>>advantages.
>Well, IDENT is probably the most misunderstood protocol on the
>Internet, of course this may in part be to blame on originally
>calling it AUTH, since authentication it is not by any means.
>And to agree with Dan, it probably doesn't have much use in an
>Internet dominated by truly single-user systems running either
>Windows or a Unix where the only user has root privileges - not to
>mention having a "dynamic" IP address that can only be mapped to
>a physical or legal entity with the aid of an ISP (and probably a
>court order:-).

Well that explains why I couldn't find too much on it. I first
noticed this when a client with an ap using our mail-server said it
always took him 30 seconds to get a reply from our system. [he's in
an MS environment and writing a custom ap - and we are a small ISP
and only with industrial/commercial users].  Since almost everyting
else was Unix based we'd just fire off the mail and it would go and
never noticed any pauses.

Quote:>But anyway, the distribution of the once de-facto standard
>implementation, pidentd, includes a pretty good (but very dated)
>argumentation for using IDENT, written by Dan Bernstein. It's actually
>called "Why TAP", TAP being yet another name for a variant of this
>protocol, but the arguments are the same. I couldn't find it on Dan's
>web site, but if you go to /usr/ports/security/pidentd and 'make',
>you'll find it in work/pidentd-*/doc/why-tap.txt - or on the net as
>e.g.: http://www.netsw.org/net/ip/infoservice/ident/doc/why-tap.txt

I'm running make in that directory as we speak [or actually as I
type]

Not that I will probalby use this, but I feel better the more I
know about more of the  tools.

Per, I am constantly amazed at your wealth of knowledge.  Thanks for
taking the time to enlighten us - hopefully it's enlighten us all -
but if not - at least me.

Thanks, it is greatly apprecicated.

Bill

--

 
 
 

1. Upgrade Sendmail 8.11.1/8.11.1 on FBSD 4.2

Hi all,

This was forwarded to me today -

SANS Alert 2003-03-03
Critical vulnerability in all versions of SENDMAIL
Plus a Snort Vulnerability

Sendmail versions 5.2 up to 8.12.8 are known to be
vulnerable at this time.

I have a system that will be upgrading to 4.7.8 soon.  How can I
upgrade this system to the current version of sendmail in the mean
time?.

Hopefully I can do it from the package collections.

Would like to run this as user bind instead of root.

Is chroot or jail for sendmail difficult to setup?.

2. When for Kernel 2.4?

3. AIX 4.1 Sendmail; comp.mail.sendmail

4. XWindows in RedHat LINUX 6.1

5. AIX 4.1 sendmail.cf to AIX 4.2 sendmail.cf

6. new linux users group being formed

7. sendmail 8.11.3 install?

8. Gnome problem on HP XU800

9. Help: sig 11 compiling sendmail 8.7.5

10. Solaris 8, sendmail 8.11.0, and mail.local...

11. sendmail dies with signal 11

12. Sendmail busy-waiting (Linux 0.99.11)

13. Sendmail 8.11.0 and AUTH SMTP