Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Debugging a slow SMTP server connection problem Internet
For the past few months I have had to contend with unbearably slow outgoing email. It seemed to take an age to connect to the SMTP server and send even a single line of text. I tried the MTU fix, I tried different mail clients - all the same thing.

I finally found today that if I turn off the OS X software firewall, it solves the problem. I'm behind two hardware corporate firewalls anyway, so it's clearly redundant. Go to System Preferences -> Sharing -> Firewall and press Stop.This fixed the problem for me and hope it helps others.
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[13,964 views]  

Debugging a slow SMTP server connection problem | 11 comments | Create New Account
Click here to return to the 'Debugging a slow SMTP server connection problem' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Ident perhaps
Authored by: EddEdmondson on Apr 03, '03 10:15:30AM
This sounds like the kind of thing that can happen when a server can't make an ident connection - try opening port 113 on your firewall? PracticallyNetworked.com has a little more info. Try it, and let us know if it works. It'd be much better to only open up that port than to discard your firewall altogether!

[ Reply to This | # ]
Ident perhaps
Authored by: percy on Apr 03, '03 10:26:38AM

*sigh* And I wondered why my IRC connections took so long to set up. Port 113 was closed.



[ Reply to This | # ]
Ident perhaps
Authored by: escowles on Apr 03, '03 12:03:04PM
Thank you! And the hint submitter!

This has been driving me nuts for months. I even setup my own SMTP server on my firewall/NAT machine, with no luck. I added port 113 to my allowed ports in the firewall preferences, and now my emails go in a flash even using my ISP's servers.

-Esme

[ Reply to This | # ]

Mail server, client firewall tips
Authored by: thrig on Apr 03, '03 12:40:03PM

If you run mail services, you can disable or lower ident lookup timeouts; older versions of mail servers set a 30 second timeout, while more recent ones set much lower values.

$ grep Timeout.ident /etc/mail/sendmail.cf
#O Timeout.ident=5s

The above sets a default five second ident lookup timeout in sendmail; a custom value would not be commented out. To set a custom value, use something like the following in your sendmail.mc, then rebuild sendmail.cf.

define(`confTO_IDENT', `1s')

For more information on sendmail, see my sendmail configurations and documentation.

On the client side of things, one can effect an immediate timeout while still firewalling the ident port by sending back a "that port is closed" response from the firewall.

/sbin/ipfw add reset tcp from any to any 113 in

For more firewall rule examples, see how I run ipfw on my Mac.



[ Reply to This | # ]
Sorry, broken link
Authored by: EddEdmondson on Apr 04, '03 05:17:57AM

Seems I put .html instead of .htm. Should really make more use of cut and paste ;-)



[ Reply to This | # ]
Turning off firewalls not recommended
Authored by: sben on Apr 03, '03 11:39:00AM

While an interesting hint, and while it may point to the "correct" solution (perhaps the ident port suggestions posted above? perhaps some DNS-related issue?), I can't recommend turning off your firewall altogether.

First, most practically, if you're using a laptop, you will take it somewhere there's no firewall. A friend's house with a naively-configured AirPort? Your office where an old sysadmin forgot to turn off a remote access port after he finished working from home?

Secondly, more fundamentally, good security includes (among many other things) security in depth. Sure, you definitely want a Very Strong primary firewall, but secondary firewalls (e.g. on each individual Mac) will go a long way towards protecting the network if (when) the primary firewall is compromised.

Thirdly, related to the second point, if you're on a corporate network, keep in mind that most security breaches occur from within — either via social engineering, or Trojan horses, or disgruntled employees.



[ Reply to This | # ]
Turning off firewalls not recommended
Authored by: BigMac2 on Apr 03, '03 10:41:09PM

I've been on the internet far before the invention of the hypertext. And it's still astonishing to see how many mis-conception about it. First of all SMTP never use IDENT. Second of all, for all paranoid people, stop all your crap about been hacked behind a NAT. Even if there is some port open on OSX, it can't be access from other computer, and in the case that you have enable some sharing stuff on your computer, the built-in firewall configuration in Jaguar will unfilter this port.



[ Reply to This | # ]
Turning off firewalls not recommended
Authored by: EddEdmondson on Apr 04, '03 05:15:43AM
Of course SMTP never uses ident, they're two different protocols. But that doesn't mean that SMTP servers never make use of ident.

When I posted that first comment I'd never come across an SMTP server that made ident requests, but it seems sendmail for one has the ability to do so. Try using Google (like I did) before dismissing a possible solution out of hand.

And I can't see anywhere that anyone has claimed you can be hacked through NAT without some further compromise - at least that's how I interpret sben's line 'compromise of the primary firewall'

[ Reply to This | # ]

Enter the logfile
Authored by: vogunaescht on Apr 03, '03 02:23:08PM

You should activate logging so you can see which connection attempts get blocked in response to your outgoing connections. Then you can figure out which ports you might want to open, as in the irc case the identd port.
Use the BrickHouse frontend to ipfw to do this or set the log option to your ipfw rules.



[ Reply to This | # ]
Debugging a slow SMTP server connection problem
Authored by: BigMac2 on Apr 05, '03 12:58:22PM

Ident identification is'nt part of the SMTP RFC.
http://ftp.rfc-editor.org/in-notes/rfc2821.txt



[ Reply to This | # ]
Debugging a slow SMTP server connection problem
Authored by: grahamgillett on May 23, '08 12:49:55AM
I am not sure if this will be of help to anyone but I too experienced this problem with slow SMTP connections.

Mac OX X Version 10.5.2

Mac Mail Version 3.2

In my case, however, I am my own ISP and the problem was brought to my attention by one of my small business clients after a hardware and corresponding software upgrade.

On my co-located server I use the Exim MTA and after Googling 'exim identd' found the following question 'Q0020' in the Exim FAQ:

http://exim.dsmirror.nl/exim-html-4.40/doc/html/FAQ_0.html#TOC20

A look in the Exim config file revealed this entry:

# The settings below, which are actually the same as the defaults in the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
# calls. You can limit the hosts to which these calls are made, and/or change
# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
# are disabled. RFC 1413 calls are cheap and can provide useful information
# for tracing problem messages, but some hosts and firewalls have problems
# with them. This can result in a timeout instead of an immediate refused
# connection, leading to delays on starting up an SMTP session.

rfc1413_hosts = *
rfc1413_query_timeout = 30s

Changing rfc1413_query_timeout to:

rfc1413_query_timeout = 0s

solved my problem.




[ Reply to This | # ]