David, Thanks for your reply to this. I am working with Brian Hatch on this problem. > Well, you can turn on logging to see if your rules are the problem. You only > need to look at the INPUT and OUTPUT chains, so put a -j LOG rule in that > matches your DROP rules (before the DROP), and perhaps one at the end of each > chain. With all of the iptables modules unloaded (i.e. fresh after a reboot), it still is not able to establish the socket to certain remote hosts on port 25. The problem is not anything to do with sendmail, since telnet is not able to establish the socket to remote:25 either. We have seen this with various remote IP addresses. Again, most remote servers work just fine for accepting connections from our server to port 25; but a few give TCP SYN timeouts. > If this is really only for some domains from the firewall itself, I'd say > it's a network problem not firewall rules. But you can post your rules to > see if we can spot any that would only apply to some domains. We don't think it's a network problem for the following reasons: 1. An old system with a different (2.0.x) kernel, on that same IP address, is able to connect to these remote mail servers on port 25. 2. We put the Red Hat 2.4.9-34 kernel on this system, rebooted, and by the time we got logged in to check the mail queue, all of the messages that had been undeliverable were already gone. (And telnet also worked to the remote MTA's.) > I assume you're using telnet or netcat to test the connections. Netcat! That's a good idea. I'll have to look for it & how to use it, because I've got another system with the same problem. We were using "telnet hostname 25" or "telnet i.p.ad.dr 25" as our test mechanism. Since the Red Hat kernel works, I can only assume that this is a bug in the 2.4.18 kernel. (It was stock kernel.org kernel with a Red Hat kernel-2.4.x-i686-smp.config config file.) Perhaps there is some bug that was introduced into the Linux kernel between 2.4.9 and 2.4.18, or perhaps there is something that was fixed or changed in the Linux kernel between those versions that broke its interaction with some TCP/IP stacks in some other operating systems, or perhaps just certain MTAs are broken. Here's one mail server that doesn't work with our 2.4.18 kernel but works with other kernels: [39] root@agadez:/home/root > telnet mta01.cdpd.airdata.com 25 Trying 199.88.234.33... Connected to mta01.cdpd.airdata.com. Escape character is '^]'. 220 mta01.cdpd.airdata.com (IntraStore TurboSendmail) ESMTP Service ready quit 221 Until later [63.251.183.14] Connection closed by foreign host. This is a WEIRD problem... Ideas, anyone? We would like to run our 2.4.18 kernel because there's a bunch of other stuff that we've customized around that environment. --Jim -- Jim Ockers - Pason (ockers@pason.com) Contact info: http://www.pason.com/ockers.html Fight Spam! Join CAUCE (Coalition Against Unsolicited Commercial Email) at http://www.cauce.org/ .