On Sat, Jul 28, 2012 at 11:42 AM, Viktor Dukhovni < postfix-us...@dukhovni.org> wrote:
> On Sat, Jul 28, 2012 at 09:10:34AM -0400, Wietse Venema wrote: > > > Thus, VERP increases the number of parallel connections. This may > > result in overflow of state tables in under-powered stateful routers, > > causing them to drop packets that don't match any existing state. > > Or perhaps the state tables don't overflow, but rate limits apply > regardless of connection state. In fact that would be correct > behaviour I think. Rate enforcement has little to do with whether > the connection table is full or not... > > I would guess that the OP's iptables configuration unwisely fails > to discriminate between incoming and outgoing traffic. The solution > is to exempt traffic sent from the machine from the rate controls. > > -- > Viktor. > Dear friends, The systlog lines grabbed at the first e-mail for this thread shows clearly that iptables is dropping the packet because of the statement below, the only one that logs with "FW DROP-OUT" header: -A OUTPUT -m limit --limit 30/m --limit-burst 3 -j LOG --log-level notice --log-prefix "FW DROP-OUT " Adding the information on other e-mails in this thread that it only occurs when sending a great number of e-mais at speed, it seems to me that you should set your limit too little (30/m). May be you should set it to something like 200/m and see if that can get you out of your problem. Also, take care of limit-burst, the default is 5 and you limit it to 3. I understand that defaults are far from specific, they are general numbers, that are good for stations, not servers. I would use limit with great care. I also recommend you to send your initial mail to an iptables mailing list, instead of postfix. I believe the problem is with iptables statements instead of postfix. Fernando Maior
