On Thursday 23 April 2009 10:02:29 Jørn Odberg wrote: > I can now see that the recieving side has an ESTABLISHED connection from > the sender, even after the sender tell me it has lost the connection > with the reciever. So it seems like something in the middle is forcing > the connection to a close... > > I have now captured some more tcpdumping from both sides. > http://postfix.jorno.net/2009_04_23-BamBib-NotBib/
The root of evil are some misguided firewall configurations which block ICMP type 3 packets. As a misguided attempt to work around the first problem, some firewalls or routers intentionally ignore the DF flag (don't fragment), and fragment a long packet anyway, instead of sending an ICMP notification and dropping a packet. And some receiving firewalls drop fragments of a packet which has a DF flag set. A workaround is sometimes to force a smaller MTU at your mailer. Or to turn off MTU discovery (= not to set a DF flag). A fix is to disable blocking of ICMP type 3 packets in firewalls (your outgoing, or recipient's incoming), and turn off the second mentioned misfeature. Mark
