I found the cause of this:  Long ago, I had configured ipsec.conf on the 
server machine to require encryption to the IMAP port, with the 
exception of local IPs.  So the machine correctly dropped the 
unencrypted packets.

The problem, though, is that it no longer accepted any legitimate SYN 
packets on that port.  Certainly seems like a bug to me.

Chris

Chris Jones wrote:
> This has been bugging me for a while, and I've finally isolated the 
> cause of my IMAP server hanging.  The server is running NetBSD/i386 1.6, 
> with cyrus-imapd from pkgsrc.  It has a firewall in front of it, also 
> running NetBSD/i386 1.6, which is tunnelling traffic via IPSEC with a 
> machine at a remote office.
> 
> If a machine from the remote office connects to the IMAP port, the 
> service hangs.  Specifically, the /usr/local/cyrus/bin/master process 
> never returns from its select(2) call.  The select is on a bunch of 
> fd's, including the socket that's listening for new connections on the 
> IMAP port.  I can kill the master process and restart it, and everything 
> works fine.  (Until somebody tries to connect from the remote office 
> again.)
> 
> Here's tcpdump output from a bad packet.  My feeble knowledge of TCP 
> says it looks fine:
> 
> gamera# tcpdump -vv -l -x host sedc.sri.com
> tcpdump: listening on fxp0
> 13:50:39.727262 sedc.SRI.COM.42989 > gamera.mt.sri.com.imap: S [tcp sum 
> ok] 1409559804:1409559804(0) win 24820 <nop,nop,sackOK,mss 1460> (ttl 
> 60, id 49965, len 48)
>                          4500 0030 c32d 0000 3c06 f876 8012 2815
>                          ce7f 4c7d a7ed 008f 5404 2cfc 0000 0000
>                          7002 60f4 358a 0000 0101 0402 0204 05b4
> 
> Any insight into the cause of this problem would be much appreciated.
> 
> Chris
> 


-- 
Chris Jones               chris@cjones.org                www.cjones.org