Sendmail Five Second Greeting Delay

[Jon Radel]

On 4/2/10 8:33 AM, David Allen wrote:

> Secondly, it seems the cause of the OP's problem was a delay associated
> with an IDENT query.  Specificially
>
>    confTO_IDENT     Timeout.ident   [5s] The timeout waiting for a
>         response to an IDENT query.
>
> If he had local DNS configured, there would be no query, and therefore no
> issue, but setting the timeout to 0 seconds using
>
>    define(`confTO_IDENT', 0s)
>
> does remove the delay, but not the underlying problem.

You sure?  IDENT has nothing to do with DNS, and I don't know of any 
program that does an IDENT query solely if DNS data is not available.  I 
can't see why that would make any sense.

What is most likely the OP's root problem is that he's sending e-mail 
from a machine that's on the other side of a firewall that blocks IDENT 
traffic but doesn't actively reject it.  So sendmail has to sit around 
and wait for the query to time out.

This is why there's a school of thought that even if your default for 
firewall configuration is to quietly drop unwanted packets, IDENT is a 
protocol that you should actively reject.  It makes things move along 
more quickly.

>
> Put another way, I'm wondering why IDENT queries are made?  My knowledge
> of that protocol is superficial, but my understanding is that running an
> identity service is widely considered a security problem.  FreeBSD doesn't
> run identd by default, for example, but it's possible that some Linux
> distros do.  The Wikipedia article suggests "It's an IRC thing", but that
> doesn't address the default sendmail behavior.

Things can make more sense when you realize that TCP/IP networks have 
changed over the years.  Long ago, when dinosaurs roamed the earth, and 
timesharing servers were big things with professional admins and lots of 
users, it could be helpful to know that if you got an irritating 
connection from the Math Dept. server using source port X, and IDENT 
said the owner of the process that was using port X was a user called 
Jimbob, that you could go to the admin of that server and tell him to 
slap Jimbob upside the head.  After all, if his IDENT server had been 
subverted, he would have mentioned it when you had a beer with him last 
night.

These days, when so much traffic comes from individual workstations 
where the user can frequently arrange for an IDENT server to return any 
fool information they want, if they have it running at all, the value 
added is much less.

Do remember that some of these things date from back when Linus was 
still in diapers (well, actually, he was about 15 when the earliest RFC 
with the genesis of IDENT was published), so trying to figure out why 
they make sense based solely on what Linux does can be futile.  ;-)

-- 

--Jon Radel
jon at radel.com