|
we're currently using keepalived to manage our mail cluster. it takes
care of SMTP, POP, IMAP etc. to a bunch of machines, and it works
fine. however, it's a bit sad that we had to turn of IDENT queries on
our SMTP servers.
what happens:
client establishes SMTP session, through the director.
server sends SYN for IDENT to client. it correctly uses the VIP as
the source address.
client sends SYN ACK to the VIP. the director replies with RST
since it has no knowledge of a TCP session being established.
to fix this, we would need to turn on persistence for SMTP and IDENT
(1 second should suffice), and make the persistence table be shared
among the two protocols (perhaps IPVS does this already?). and then
the ugly part: the director would need to forward the SYN ACK packet
blind iff the source IP is in the persistence table.
any thoughts on the feasibility and cleanliness of implementing this?
--
Kjetil T. | read and make up your own mind
| http://www.cactus48.com/truth.html
|
