> > Oct 29 10:27:58 av3 postfix/smtpd[16988]: connect from > > unknown[xxx.yyy.www.zzz] > > Oct 29 10:27:58 av3 postfix/smtpd[16988]: 7B98D75008D: > > client=unknown[xxx.yyy.www.zzz] > > Oct 29 10:34:25 av3 postfix/smtpd[16988]: timeout after DATA from > > unknown[xxx.yyy.www.zzz] > > Oct 29 10:34:25 av3 postfix/smtpd[16988]: disconnect from > > unknown[xxx.yyy.www.zzz] > > > > What I can suspect about the cause? Firewall, Protection software on > > sending client or what? > > All of the above, including firewalls that break IP path MTU > discovery or TCP window scaling. A tcpdump recording will > help to distinguish between these. I don't think that packet > content is needed for this. >
Indeed, I have already dumped TCP communication on network device between the client (client) and the server (server). 12:31:06.808714 O client.1395 > server.25: . 1931191:1932551(1360) ack 358 win 65178 (DF) 12:31:06.810488 I server.25 > client.1395: . ack 1932551 win 32767 (DF) 12:31:06.852564 O client.1395 > server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:06.854144 I server.25 > client.1395: . ack 1933911 win 32767 (DF) 12:31:06.894753 O client.1395 > server.25: . 1933911:1935271(1360) ack 358 win 65178 (DF) 12:31:06.896266 I server.25 > client.1395: . ack 1935271 win 32767 (DF) 12:31:06.936602 O client.1395 > server.25: . 1935271:1936631(1360) ack 358 win 65178 (DF) 12:31:06.938700 I server.25 > client.1395: . ack 1936631 win 32767 (DF) 12:31:06.980516 O client.1395 > server.25: . 1936631:1937991(1360) ack 358 win 65178 (DF) 12:31:06.982220 I server.25 > client.1395: . ack 1937991 win 32767 (DF) 12:31:07.522337 O client.1395 > server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:07.524024 I server.25 > client.1395: . ack 1937991 win 32767 <nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED]> (DF) 12:31:08.944525 O client.1395 > server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:08.946030 I server.25 > client.1395: . ack 1937991 win 32767 <nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED]> (DF) 12:31:11.788665 O client.1395 > server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:11.789996 I server.25 > client.1395: . ack 1937991 win 32767 <nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED]> (DF) 12:31:14.124361 I server.25 > client.1383: FP 0:49(49) ack 1 win 32767 <nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED]> (DF) 12:31:17.366904 O client.1395 > server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:17.368809 I server.25 > client.1395: . ack 1937991 win 32767 <nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED]> (DF) 12:31:28.524960 O client.1395 > server.25: . 1932551:1933911(1360) ack 358 win 65178 (DF) 12:31:28.527685 I server.25 > client.1395: . ack 1937991 win 32767 <nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED]> (DF) 12:31:48.433164 I server.25 > client.1383: FP 0:49(49) ack 1 win 32767 <nop,nop,sack [EMAIL PROTECTED] [EMAIL PROTECTED]> (DF) But I'm not completely able to give a correct interpretation of the output. The only relevant thing that I strongly suspect is that the last raw points out that server has noticed that since long time client does not respond and send FIN packet. But no other info about the cause of the 'communication breaking' is possible to get. rocsca
