|
On Tue, Aug 26, 2003 at 10:47:04AM +0200, Kjetil Torgrim Homme wrote:
> we're currently using keepalived to manage our mail cluster. it takes
> care of SMTP, POP, IMAP etc. to a bunch of machines, and it works
> fine. however, it's a bit sad that we had to turn of IDENT queries on
> our SMTP servers.
>
> what happens:
>
> client establishes SMTP session, through the director.
>
> server sends SYN for IDENT to client. it correctly uses the VIP as
> the source address.
>
> client sends SYN ACK to the VIP. the director replies with RST
> since it has no knowledge of a TCP session being established.
>
> to fix this, we would need to turn on persistence for SMTP and IDENT
> (1 second should suffice), and make the persistence table be shared
> among the two protocols (perhaps IPVS does this already?). and then
> the ugly part: the director would need to forward the SYN ACK packet
> blind iff the source IP is in the persistence table.
>
> any thoughts on the feasibility and cleanliness of implementing this?
That should work pretty well and could be done quite cleanly using
an fwmark virtual service. The only potential problem would
be if you were getting a _lot_ of mail from one IP address
over multiple connections as they probably would all
end up on one real server.
On the other hand, I wonder if it would be possible to
issue the ident request with the RIP instead of the VIP.
--
Horms
|
