On 13/1/2021 4:41 μ.μ., Wietse Venema wrote:
This is a TCP-level problem. The remote server's TCP/IP stack, or
some middle box, is refusing connections at the TCP level.
Thanks Wietse,
We'll be checking this out. Although I have done some connectivity
testing with repeated netcat (nc) polling to port 25 over IPv6 between
the two servers, I have not been able to find any issues, at least not yet.
Continuous ping6 shows stable connection at around 7ms; for example:
rtt min/avg/max/mdev = 6.887/7.152/7.432/0.130 ms
In the last 12 hours I have noticed only one occurrence of the problem,
after I whitelisted all our mail servers (2 mail gateway servers and the
main one with the mailboxes) on our Cisco ASA firewall (which is the
main suspect I can think of for disrupting the communication). This only
occurrence did NOT happen at a time with high network load.
It seems to me difficult to troubleshoot since it is a so infrequent
event. The problem is how I can isolate and examine closely the TCP/IP
state at the moment when the problem occurs. Should I tcpdump IPv6 smtp
communication between two mail servers over many hours?
In any case, our mail traffic is low, so I think that reducing postfix
connection limit might not be needed.
If you or anyone else can provide suggestions/hints/thoughts for
troubleshooting at the TCP/IP layer, esp. IPv6, I would appreciate that.
A next move could be closer examination of dropped packets by our
firewall. I found this article for a start:
https://networklessons.com/cisco/asa-firewall/cisco-asa-packet-drop-troubleshooting
Thanks again,
Nick
