Sendmail Five Second Greeting Delay

[Scott Bennett]

     On Fri, 02 Apr 2010 12:46:24 -0400 Jon Radel <jon at radel.com> wrote:
>On 4/2/10 11:49 AM, David Allen wrote:
>>
>> On 4/2/10, Jon Radel<jon at radel.com>  wrote:
>>> On 4/2/10 8:33 AM, David Allen wrote:
>>>
>>>>  [much stuff deleted  --SB]
>>
>> Interesting reading.  Thanks for elaborating.
>>
>> So the IDENT protocol was relied on in the time of the dinosaurs, it's
>> value today is "so much less" (a polite way of saying "not used at
>> all"?), and IDENT packets are commonly dropped by firewalls.   Do I
>> have that right?
>
>Yes, except for the "not used at all" bit.

     Well, as a mid-Triassic dinosaur who didn't reach the rapidly growing
continent of UNIXia until the mid-Jurassic (SysVR1.05->4.3BSD), long after
the breakup of Panibmea had begun, I'd like to say in our defense that when
authd and identd first made their appearances as the latest fashion statements,
those of us who had evolved properly suspicious natures due to exposure to
our own user communities long before becoming networked, looked at each other,
rolled our eyeballs, chuckled, and proceeded not to install either.
>
>> If so, then a reasonable conclusion is that the
>> default sendmail behaviour with respect to IDENT (sending queries and
>> then waiting for a reply) is an anachronism.  And the workaround
>> (setting a timeout of zero) is a fix for that anachronism.   Should I
>> consider those two points as "features", or should I just get off your
>> lawn before I get yelled at?  ;-)
>>
>
>People who get all bent out of shape about 5 second delays in e-mail 
>delivery deserve to suffer, therefore I personally think the default 
>behavior is fine the way it is.  But as I said, you can find many 
>sendmail "cookbooks" on the Internet that recommend that you set it to 0 
>sec and get on with your life.

     Indeed. :-)
>
>Or you could just set all your firewalls to reject the traffic with much 
>the same end result.
>

     In the same day's digest, on Fri, 02 Apr 2010 18:37:38 +0100,
Matthew Seaman <m.seaman at infracaninophile.co.uk> wrote:
>On 02/04/2010 15:12:33, Jon Radel wrote:
>> This is why there's a school of thought that even if your default for
>> firewall configuration is to quietly drop unwanted packets, IDENT is a
>> protocol that you should actively reject.  It makes things move along
>> more quickly.

     Nonsense.  When a system is harassed by useless crap like that, it
is indeed appropriate to drop the packets.  I remain grateful to this day
to the person on this list who long ago pointed out blackhole(4) to me in
response to my queries about how to deal with my system's kernel issuing
console complaints that it was limiting the sending of RSTs to 200 per
second.  Let the buggers eat silence, I say.  It can help to slow down
their assaults.
>
>That, and the fact that the ident protocol is utterly pointless -- it's
>trivially easy for a server to lie about the owner of the other end of a
>TCP connection.  In fact, doing that is a standard part of the
>functionality of identd implementations.  Just a waste of packets.
>
     Precisely.  So are the RSTs in such cases.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************