per [at] hedeland.org (Per Hedeland) writes:
> In article <87vebitndx.fsf [at] anfi.office-on-the.net> Andrzej Adam Filip
> <anfi [at] onet.eu> writes:
>>per [at] hedeland.org (Per Hedeland) writes:
>>
>>> In article <87k5rzaaec.fsf [at] anfi.office-on-the.net> Andrzej Adam Filip
>>> <anfi [at] onet.eu> writes:
>>>>per [at] hedeland.org (Per Hedeland) writes:
>>>>
>>>>> In article <873aypaihr.fsf [at] anfi.homeunix.com> Andrzej Adam Filip
>>>>> <anfi [at] onet.eu> writes:
>>>>>>Is there any way to set sending system to allow iptables (firewall) on
>>>>>>the receiving system use separate rate control for "at once" delivery
>>>>>>attempts and queue runs?
>>>>>
>>>>> Is this a sendmail question?:-)
>>>>
>>>>Sendmail has a long lasting history of fixing "deficiencies" of other
>>>>soft :-)
>>>>
>>>>>>Using different IP addresses will not play well with grey-listing.
>>>>>
>>>>> Well, other things that come to mind for a general answer are source
>>>>> port (range) and TOS bits. For a sendmail answer, you could perhaps
>>>>> arrange for one or the other to use a mailer with the 'R' flag set.
>>>>
>>>>Do *you* think playing with TOS would be cost effective?
>>>
>>> I guess it comes back to my first question above - if you want a
>>> sendmail answer, there is no support for setting the TOS bits from
>>> within sendmail, and doing it for the purpose in question would
>>> basically be a pretty gross hack, so it's likely that you'd end up with
>>> a "private" source mod => not a lot of fun, but if that's what it
>>> takes... Using the 'R' flag for this is a pretty gross hack too, but at
>>> least it's readily available => if it can work, use that instead.
>>
>>R flag makes sendmail use ports<1024 reserved on unixes for sole use by
>>root => it makes sendmail run as root
>
> Not strictly true, some Unices allow you to give this capability to
> non-root processes.
>
>>I would like a solution `usable' by sendmail not seeing root privileges
>>even for a millisecond.
>
> Well, you could have mentioned that at the outset to save some wasted
> time, given that in a standard sendmail setup remote SMTP connections
> will always be initiated by a process running as root.
You have wasted no time :-)
I tell you what I would like as the perfect solution (for me),
you 'refreshed my memory' about something that can be used in
*unpatched* sendmail (including older versions).
> Anyway, modulo your OS being capability-capable per above, I guess
> you're then left with a "private" source mod - either to use two
> different "unprivileged" source port ranges or to diddle the TOS bits.
> At least I can't think of any other properties of the connection that
> are a) user-process-settable and b) likely to survive through the
> network - given that you've already excluded source IP address.
Playing with TOS (priority to be specific) seems to be the most
straightforward patch (very similar to setting size of TCP buffers).
> Well, possibly you could use different source IP addresses after all,
> but source-NAT the incoming connections to the same address *after*
> applying the rate control - not sure if iptables is able to do such a
> thing, but it's theoretically possible at least.
>
> Or modify the greylisting to treat the particular two IP addresses as
> identical. Or just live with greylisting kicking in initially.
--
[pl>en: Andrew] Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
Last guys don't finish nice.
-- Stanley Kelley, on the cult of victory at all costs
