E.Benoît's questions

I have configured two Linux boxes so they automatically use a transport-level IPSec connection whenever they need to communicate. The configuration is based on Racoon with X509 authentication and the bundle_complex option set to on, as well as policies that require both ESP and AH between the two boxes.

While the configuration works, generally speaking, the first few packets are always lost, e.g.:

$ ping -c 3 A.B.C.D
PING A.B.C.D (A.B.C.D) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
64 bytes from A.B.C.D: icmp_req=3 ttl=64 time=0.497 ms

Is there any way to prevent this, for example by "delaying" the packets until the IPSec transport has been negotiated?

One of my e-mail customers is currently on the receiving end of massive amounts of delivery failure notices as a "Nigerian scammer" seems to be using her address as its MAIL FROM field.

A lot of it is marked as spam by the SpamAssassin running on the inbound server (if they include the original message).

I added a manual content filter which removes more of the stuff.

I also temporarily blacklisted a few of the most active sources of bounce emails as they weren't servers any of my customers were likely to exchange actual e-mail with.

That has reduced the amount of spurious delivery failure notices my customer receives, however she's still getting ~1-2 such notices per minute.

Is there anything more I can do to help her get rid of this?