helpGna! Administration - Support: sr #1436, ident check indirectly causes mail...

Show feedback again

sr #1436: ident check indirectly causes mail to fail to be delivered

Submitted by:  Lucas Nussbaum <lnu>
Submitted on:  Mon Jan 8 18:08:28 2007  
Category: Mail and Mailing-ListPriority: 5 - Normal
Severity: 4 - ImportantStatus: In Progress
Privacy: PublicAssigned to: None
Open/Closed: OpenOperating System: Any / Non-Specific

Add a New Comment (Rich MarkupRich Markup):

You are not logged in

Please log in, so followups can be emailed to you.


Sat Jan 20 09:32:43 2007, comment #2:

It can probably provide useful information in the logs, but this doesn't justify that 30s timeout. In exim 4.61, the timeout was decreased from 30s to 5s. See that comment in a Debian Etch exim.conf:

# The settings below, which are actually the same as the defaults in the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
# calls. You can limit the hosts to which these calls are made, and/or change
# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
# are disabled. RFC 1413 calls are cheap and can provide useful information
# for tracing problem messages, but some hosts and firewalls are
# misconfigured to drop the requests instead of either answering or
# rejecting them. This can result in a timeout instead of an immediate refused
# connection, leading to delays on starting up SMTP sessions. (The default was
# reduced from 30s to 5s for release 4.61.)
# rfc1413_hosts = *
# rfc1413_query_timeout = 5s

I suggest we done the same: decrease to 5s. This would solve the problem of sender callouts failing.

Another problem is that the check seems to have a problem receiving RST packets: my server doesn't just drop the ident packets, it refuses the connection. exim should detect that and stop retrying:
Capturing on eth0
0.000000 -> TCP 58444 > auth [SYN] Seq=0 Len=0 MSS=1460 TSV=207597283 TSER=0 WS=0
0.000025 -> TCP auth > 58444 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
2.990316 -> TCP 58444 > auth [SYN] Seq=0 Len=0 MSS=1460 TSV=207597583 TSER=0 WS=0
2.990355 -> TCP auth > 58444 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
8.990332 -> TCP 58444 > auth [SYN] Seq=0 Len=0 MSS=1460 TSV=207598183 TSER=0 WS=0
8.990377 -> TCP auth > 58444 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0
20.990317 -> TCP 58444 > auth [SYN] Seq=0 Len=0 MSS=1460 TSV=207599383 TSER=0 WS=0
20.990357 -> TCP auth > 58444 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0

Could this be explained by a firewall configuration ?

Lucas Nussbaum <lnu>
Sat Jan 20 07:28:32 2007, comment #1:

I think this check is of use otherwise it would not be set as default into exim.
This question should maybe be posted on exim-users mailing-list at, to have a clear answer, I'm not sure to get the big picture.

Mathieu Roy <yeupou>
Site Administrator
Mon Jan 8 18:08:28 2007, original submission:

I recently set up exim's sender verify callout to avoid some of the huge lot of spam I receive daily. When a remote SMTP connects to my server, my server checks if the sender address exists by connecting to the address's SMTP server, and issuing HELO, MAIL FROM, and RCPT TO commands.

A similar system has been implemented recently inside Debian, on an opt-in basis.

Since I set this up, I couldn't receive mail from gna anymore. I investigated the issue, and understood that when my server connects to to check an address, it runs into a 30s timeout caused by the ident check on
rfc1413_hosts = *
rfc1413_query_timeout = 30s

Indeed, I see ident requests coming in, and connection being refused (I don't run an indent daemon). It's strange that doesn't that the connection is refused, and continues to try to connect for 30s, but that's not the main issue, since the issue would be the same for servers which filter ident requests.

I think that the timeout for the ident check should be decreased to something like 5s, or the check should be completely removed (is it really of much use ?)

A list of other affected mail targets is available with

grep "451 Could not complete sender verify callout" /var/log/exim4/mainlog.1 /var/log/exim4/mainlog

Thank you

Lucas Nussbaum <lnu>


(Note: upload size limit is set to 1024 kB, after insertion of the required escape characters.)

Attach File(s):

No files currently attached


Depends on the following items: None found

Items that depend on this one: None found


Carbon-Copy List
  • -unavailable- added by yeupou (Posted a comment)
  • -unavailable- added by lnu (Submitted the item)

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.


    Error: not logged in



    Follow 2 latest changes.

    Date Changed By Updated Field Previous Value => Replaced By
    Sat Jan 20 09:32:43 2007lnuStatusNeed Info=>In Progress
    Sat Jan 20 07:28:32 2007yeupouStatusIn Progress=>Need Info
    Show feedback again

    Back to the top

    Powered by Savane 3.1-cleanup