Hi, just for the curious, we could solve it by using a rule on the bsd firewall
lan to pass TCP using "synproxy".
The mail transaction passes and goes on quickly without generating the syn/ack
flood.
Hope this is enough for any situation...
Gabriele
Sonicle S.r.l.
:
http://www.sonicle.com
Music:
http://www.gabrielebulfon.com
Quantum Mechanics :
http://www.cdbaby.com/cd/gabrielebulfon
----------------------------------------------------------------------------------
Da: Wietse Venema
A: Postfix users
Data: 11 settembre 2020 2.08.01 CEST
Oggetto: Re: syn flood generated by a postfix transaction
Gabriele Bulfon:
Thanks so much for the deep explanation :)
Considering the questions asked, I must keep the conversation at a
basic level.
Kernel is illumos, I exclude it can be a bug in the kernel stack.
I will check Postfix config, but I don't think there is any huge
limit as you suggested.
Don't overlook the firewall (yours or theirs). or other boxes
in the middle that may manipulate TCP packets.
What about the "PIX workaround"?
That causes Postfix to speak SMTP slower. If the data sent over an
established TCP connection can trigger a TCP SYN flood, then SOMETHING
AT THE NETWORK LEVEL is massively screwed up.
Wietse