Postfix - Timeout While Sending End of Data

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix - Timeout While Sending End of Data

Jafaruddin Lie

Our Postfix server (RHEL 4, stock-standard RPM) is playing up at the moment.
The mail server is our outgoing mail server (on the DMZ), and I noticed that since last weekend we're having this issue:

A lot of the mails generated by our web applications (and manually, may I add) were being queued up with this error message: delivery temporarily suspended: conversation with MAILSERVER timed out while sending end of data -- message may be sent more than once. It happens to emails sent to all domains.

Some are delivered eventually, some seems to be stuck in the queue, and then there are some others that were delivered immediately.

Restarting the service doesn't seem to help. Nothing on maillog or message log or error log.

We do have a CISCO ASA 5520 that the outgoing mailserver sits behind, and I have done the no fixup protocol on the box to no avail.
I have also enabled ICMP from that box to our internal mail server, and ping works so I figure the ICMP NO-FRAGMENT wouldn't be an issue here now.

Help?


--
Registered Linux user no. 384430
Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

DJ Lucas-2
On 02/14/2010 10:17 PM, Jafaruddin Lie wrote:
>
> We do have a CISCO ASA 5520 that the outgoing mailserver sits behind,
> and I have done the no fixup protocol on the box to no avail.
> I have also enabled ICMP from that box to our internal mail server,
> and ping works so I figure the ICMP NO-FRAGMENT wouldn't be an issue
> here now.
>
It sounds as though the issue surfaced about the same time the new
security device came into play.  If so, it might help to make that
absolutely clear to everyone who reads this thread.  Is this the only
change in the environment?  From what you've said above, it sounds like
you're on the right track.  Only thing I noticed is that you mentioned
fixup (PIX) and not inspect (ASA).  I don't have an ASA in front of me
ATM (and honestly, I'm not all that good with them anyway), however
something 'like' the following commands should get you to the right
place if you don't have access to ASDM (assuming you haven't changed too
much in the default configuration).  There are plenty of examples all
over the net if you use the correct search terms.  Obviously, you should
do a 'show run' to make sure my second assumption is correct (and that
this could even be the problem).

{{{
policy-map global_policy
  class inspection_default
   no inspect esmtp
}}}

Don't forget to write, else it'll be gone on reboot if it works.  Sorry,
done that a couple of times myself, though I always dump my configs.  A
friendly reminder never hurts either way.

BTW, here is a better example than the Cisco docs (IMO), probably should
have just linked to there in the first place instead of the above
gibberish.  Oh well.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html

-- DJ Lucas


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

Stan Hoeppner
DJ Lucas put forth on 2/15/2010 1:22 AM:

> http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html

Never post links to information that requires a credit card in order to view it.
 I'm sure this breaks one if not many netiquette rules. ;)

Surely there are many freely available texts with the relevant information that
are just as good as this non-free text.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

DJ Lucas-2
On 02/15/2010 01:30 AM, Stan Hoeppner wrote:

> DJ Lucas put forth on 2/15/2010 1:22 AM:
>
>  
>> http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html
>>    
> Never post links to information that requires a credit card in order to view it.
>  I'm sure this breaks one if not many netiquette rules. ;)
>
> Surely there are many freely available texts with the relevant information that
> are just as good as this non-free text.
>
>  
My apologies to the list.  Didn't even think of that.  In my (admittedly
weak) defense, you can scroll to the bottom of the page and get the
accepted solution and OPs responses without a CC for Experts Exchange.

-- DJ Lucas


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

Stan Hoeppner
DJ Lucas put forth on 2/15/2010 1:33 AM:

> On 02/15/2010 01:30 AM, Stan Hoeppner wrote:
>> DJ Lucas put forth on 2/15/2010 1:22 AM:
>>
>>  
>>> http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html
>>>    
>> Never post links to information that requires a credit card in order to view it.
>>  I'm sure this breaks one if not many netiquette rules. ;)
>>
>> Surely there are many freely available texts with the relevant information that
>> are just as good as this non-free text.
>>
>>  
> My apologies to the list.  Didn't even think of that.  In my (admittedly
> weak) defense, you can scroll to the bottom of the page and get the
> accepted solution and OPs responses without a CC for Experts Exchange.

I can't get to it without entering a CC and starting a 30 day trial.  The
"bottom" of the page is white space.  I see no options anywhere on the page to
get at the info without signing up.  This is kinda by design isn't it?  No pay,
no play?  It's the whole point of the Experts Exchange website is it not?

Due to your membership and cookies, even if you aren't logged in, you're
probably still seeing a different page than those without a membership and prior
cookies already on the the PC accessing the site.  It's a no go.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

Martin Barry
$quoted_author = "Stan Hoeppner" ;
>
> >> DJ Lucas put forth on 2/15/2010 1:22 AM:
> >>  
> >>> http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html
>
> I can't get to it without entering a CC and starting a 30 day trial.  The
> "bottom" of the page is white space.  I see no options anywhere on the page to
> get at the info without signing up.  This is kinda by design isn't it?  No pay,
> no play?  It's the whole point of the Experts Exchange website is it not?

If your HTTP referrer is from google.com you get the whole thread at the
bottom.

cheers
Marty
Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

Jafaruddin Lie
In reply to this post by DJ Lucas-2
So here's an update:
1. I have turned off fixup smtp and checked that inspect esmtp or inspect smtp is not running.
2. I have also enabled ICMP for both ends from our DMZ mail server and internal mail server. It is still happening.

Plot thickens huh.

On Mon, Feb 15, 2010 at 6:22 PM, DJ Lucas <[hidden email]> wrote:
On 02/14/2010 10:17 PM, Jafaruddin Lie wrote:
>
> We do have a CISCO ASA 5520 that the outgoing mailserver sits behind,
> and I have done the no fixup protocol on the box to no avail.
> I have also enabled ICMP from that box to our internal mail server,
> and ping works so I figure the ICMP NO-FRAGMENT wouldn't be an issue
> here now.
>
It sounds as though the issue surfaced about the same time the new
security device came into play.  If so, it might help to make that
absolutely clear to everyone who reads this thread.  Is this the only
change in the environment?  From what you've said above, it sounds like
you're on the right track.  Only thing I noticed is that you mentioned
fixup (PIX) and not inspect (ASA).  I don't have an ASA in front of me
ATM (and honestly, I'm not all that good with them anyway), however
something 'like' the following commands should get you to the right
place if you don't have access to ASDM (assuming you haven't changed too
much in the default configuration).  There are plenty of examples all
over the net if you use the correct search terms.  Obviously, you should
do a 'show run' to make sure my second assumption is correct (and that
this could even be the problem).

{{{
policy-map global_policy
 class inspection_default
  no inspect esmtp
}}}

Don't forget to write, else it'll be gone on reboot if it works.  Sorry,
done that a couple of times myself, though I always dump my configs.  A
friendly reminder never hurts either way.

BTW, here is a better example than the Cisco docs (IMO), probably should
have just linked to there in the first place instead of the above
gibberish.  Oh well.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html

-- DJ Lucas


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.




--
Registered Linux user no. 384430
Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

Eero Volotinen-2
2010/2/16 Jafaruddin Lie <[hidden email]>:
> So here's an update:
> 1. I have turned off fixup smtp and checked that inspect esmtp or inspect
> smtp is not running.
> 2. I have also enabled ICMP for both ends from our DMZ mail server and
> internal mail server. It is still happening.

well, try to disable tcp-windows-scaling ?

--
Eero
Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

Daniel V. Reinhardt
In reply to this post by Jafaruddin Lie



>
>From: Jafaruddin Lie <[hidden email]>
>To: Daniel V. Reinhardt <[hidden email]>
>Sent: Mon, February 15, 2010 10:50:07 PM
>Subject: Re: Postfix - Timeout While Sending End of Data
>
>
>Currently we have mails going to our internal mail server being queued up.
>
>So, to answer your question, it's ethernet 100Mbps connection.
>
>On Tue, Feb 16, 2010 at 9:36 AM, Daniel V. Reinhardt <[hidden email]> wrote:
>
>>>
>>>>>
>>>>>So here's an update:
>>>>>
>>>>>1. I have turned off fixup smtp and checked that inspect esmtp or inspect smtp is not running.
>>>>>2. I have also enabled ICMP for both ends from our DMZ mail server and internal mail server. It is still happening.
>>>>>
>>>>>
>>>>>Plot thickens huh.
>>
>>
>>
>>What is your connection speed, and what are you sending?
>>
>>>>Thanks,
>>>> Daniel Reinhardt
>>>>Website: www.cryptodan.com
>>>>Email: [hidden email]

You didnt answer my question, what is being sent in these e-mails like attachments, and if so what size are they.

Can you provide log files and what not?

Also keep replies on the list.

Thanks,

 Daniel Reinhardt
Website: www.cryptodan.com
Email: [hidden email]


     
Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

Jafaruddin Lie
The size of the email is not big, and I don't think the size of the emails matter.
No, no attachments, it's mostly just acknowledgement mails.
I have seen emails being blocked at around 3KB, whilst emails around 5KB got sent whilst a 160KB mail got blocked.
OK, I have disabled tcp_windows_scaling on the server, we'll see if this keeps on happening.


On Tue, Feb 16, 2010 at 10:20 AM, Daniel V. Reinhardt <[hidden email]> wrote:



>
>From: Jafaruddin Lie <[hidden email]>
>To: Daniel V. Reinhardt <[hidden email]>
>Sent: Mon, February 15, 2010 10:50:07 PM
>Subject: Re: Postfix - Timeout While Sending End of Data
>
>
>Currently we have mails going to our internal mail server being queued up.
>
>So, to answer your question, it's ethernet 100Mbps connection.
>
>On Tue, Feb 16, 2010 at 9:36 AM, Daniel V. Reinhardt <[hidden email]> wrote:
>
>>>
>>>>>
>>>>>So here's an update:
>>>>>
>>>>>1. I have turned off fixup smtp and checked that inspect esmtp or inspect smtp is not running.
>>>>>2. I have also enabled ICMP for both ends from our DMZ mail server and internal mail server. It is still happening.
>>>>>
>>>>>
>>>>>Plot thickens huh.
>>
>>
>>
>>What is your connection speed, and what are you sending?
>>
>>>>Thanks,
>>>> Daniel Reinhardt
>>>>Website: www.cryptodan.com
>>>>Email: [hidden email]

You didnt answer my question, what is being sent in these e-mails like attachments, and if so what size are they.

Can you provide log files and what not?

Also keep replies on the list.

Thanks,

 Daniel Reinhardt
Website: www.cryptodan.com
Email: [hidden email]






--
Registered Linux user no. 384430
Reply | Threaded
Open this post in threaded view
|

Re: Postfix - Timeout While Sending End of Data

Jafaruddin Lie
Thank you for all your responses.
We nailed it down to the dodgy server / Postfix setup.
I copied some of the deferred mail queues to another newly setup Postfix server (in the same DMZ) and those mails got sent immediately. So, all mailis are now going out through the new server. Looking good so far.



On Tue, Feb 16, 2010 at 10:26 AM, Jafaruddin Lie <[hidden email]> wrote:
The size of the email is not big, and I don't think the size of the emails matter.
No, no attachments, it's mostly just acknowledgement mails.
I have seen emails being blocked at around 3KB, whilst emails around 5KB got sent whilst a 160KB mail got blocked.
OK, I have disabled tcp_windows_scaling on the server, we'll see if this keeps on happening.


On Tue, Feb 16, 2010 at 10:20 AM, Daniel V. Reinhardt <[hidden email]> wrote:



>
>From: Jafaruddin Lie <[hidden email]>
>To: Daniel V. Reinhardt <[hidden email]>
>Sent: Mon, February 15, 2010 10:50:07 PM
>Subject: Re: Postfix - Timeout While Sending End of Data
>
>
>Currently we have mails going to our internal mail server being queued up.
>
>So, to answer your question, it's ethernet 100Mbps connection.
>
>On Tue, Feb 16, 2010 at 9:36 AM, Daniel V. Reinhardt <[hidden email]> wrote:
>
>>>
>>>>>
>>>>>So here's an update:
>>>>>
>>>>>1. I have turned off fixup smtp and checked that inspect esmtp or inspect smtp is not running.
>>>>>2. I have also enabled ICMP for both ends from our DMZ mail server and internal mail server. It is still happening.
>>>>>
>>>>>
>>>>>Plot thickens huh.
>>
>>
>>
>>What is your connection speed, and what are you sending?
>>
>>>>Thanks,
>>>> Daniel Reinhardt
>>>>Website: www.cryptodan.com
>>>>Email: [hidden email]

You didnt answer my question, what is being sent in these e-mails like attachments, and if so what size are they.

Can you provide log files and what not?

Also keep replies on the list.

Thanks,

 Daniel Reinhardt
Website: www.cryptodan.com
Email: [hidden email]






--
Registered Linux user no. 384430



--
Registered Linux user no. 384430