Hi all, Taylor, Grant schrieb: > > Rather than allowing ident would it be possible to do a REJECT (via > iptables -t filter -A OUTPUT -j REJECT) (I'm not sure if this can be a > policy or not) that way the ident will fail immediately verses timing > out? That is if you don't want the ident to happen. Seeing as how a > LOT of servers don't even support ident any more this might just as well > be an option. > Which is what I did on one server (SuSE) and it solved the problem there. The other server was different in that the problem occured not always, only about 80% of all connections were affected and only POP3. The real solution can be found here: http://www.washington.edu/imap/IMAP-FAQs/index.html issue 7.24 Quick summary. Mostly the cause is either reverse DNS request timing out or ident requests also timing out. The latter happens on systems running xinetd. In e.g /etc/xinetd.d/ipop3 are lines like log_on_success += USERID These lines cause inetd to start an ident request. Delete all of these and similar lines in each file they occur, restart xinetd and the prolem is gone. No need to write rules :) Thanks to all providing ideas and pointing me to ident. Have a nice time, Joerg
