Re: Acceptance of domain literals

From: (no name) (no email)
Date: Sat Jan 03 2004 - 05:25:14 EST

• Next message: Matthias Andree: "XCLIENT/XFORWARD"
• Previous message: Luca Berra: "Re: Request to change experimental release naming convention"
• Maybe in reply to: Dean Strik: "Re: Acceptance of domain literals"
• Next in thread: Jim Seymour: "Re: Acceptance of domain literals"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Zitat von "Greg A. Woods" <>:

> [ On Friday, January 2, 2004 at 17:57:48 (-0500), Jim Seymour wrote: ]
> > Subject: Re: Acceptance of domain literals
> >
> > "Greg A. Woods" <> wrote:
> > >
> > > Personally I would never ever even dream of running a mail server behind
> > > a NAT. This is far from the only problem you'll encounter.
> >
> > What other problems is one likely to encounter?
>
> It depends somewhat on exactly what NAT implementation you're using, but
> typically many of the low level protocol error handling mechanisms
> either get trashed beyond recognition by a NAT, or don't work at all, so
> error handling at the connection level will be broken with the result
> that any number of strange symptoms will appear and be almost impossible
> to diagnose (especially by anyone who might think running a server
> behind a NAT is an OK think to do :-).

If you choose to use a broken Firewall/NAT-device you are right. But this is a
problem in operating technical devices at all. If one don't know what to do the
results are always poor.
At least PMTU should work across the NAT by TCP MSS clamping or something like
that.
The only shortcoming was to teach postfix about the external IP.

> Many other common errors can be masked, hidden, transformed, or
> otherwise butchered by a NAT too, depending on what else has to pass
> through the thing (e.g. DNS).

Same as previous : True it adds a layer of complexity but that is no reason to
say it doesn't work at all.
 
> The only time you really have to run a mail server behind a NAT is
> almost always a scenario where you're not supposed to, or at least not
> expected to, be running any servers in the first place. Either that or
> you're dealing with such a confused and ignorant firewall administrator
> that NAT issues are going to be the least of your troubles.

As for dynamic dial up i do agree, but NAT is used in many other cases too.
Sometimes the cost for some T1 with many IPs is just too expansive and a ADSL
with static IP, reverse DNS and NATing Router is just fine if you know what you
are doing.
The issue with the ignorant firewall administrator i can't support because it's
me in our company, but for the company we of course don't use a NATed
connection for the mailserver ;-)

Regards

Andreas

• Next message: Matthias Andree: "XCLIENT/XFORWARD"
• Previous message: Luca Berra: "Re: Request to change experimental release naming convention"
• Maybe in reply to: Dean Strik: "Re: Acceptance of domain literals"
• Next in thread: Jim Seymour: "Re: Acceptance of domain literals"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]