On May 4, 2005 07:27 am, Jörg Harmuth wrote: > Hi all, > > Taylor, Grant schrieb: > > Rather than allowing ident would it be possible to do a REJECT (via > > iptables -t filter -A OUTPUT -j REJECT) (I'm not sure if this can be a > > policy or not) that way the ident will fail immediately verses timing > > out? That is if you don't want the ident to happen. Seeing as how a > > LOT of servers don't even support ident any more this might just as well > > be an option. > > Which is what I did on one server (SuSE) and it solved the problem there. > > The other server was different in that the problem occured not always, > only about 80% of all connections were affected and only POP3. The real > solution can be found here: > > http://www.washington.edu/imap/IMAP-FAQs/index.html issue 7.24 > > Quick summary. Mostly the cause is either reverse DNS request timing out > or ident requests also timing out. The latter happens on systems running > xinetd. In e.g /etc/xinetd.d/ipop3 are lines like > > log_on_success += USERID > > These lines cause inetd to start an ident request. Delete all of these > and similar lines in each file they occur, restart xinetd and the prolem > is gone. No need to write rules :) Indeed would be the issue -- I'll not gloat -- but it comes from experience at work with a mail server that was doing the same thing .. 'twas an identd lookup that was waiting to time out when done through the firewall, but responding normally any other time. That happened to be a Cisco pix, but the cause and the symptom are the same. Also why I didn't suggest the solution, just the cause. Alistair Tonner > > Thanks to all providing ideas and pointing me to ident. Welcome, 'swat we all hereabouts for. > > Have a nice time, > > Joerg