ISA seems to be blocking LARGE smtp emails - small OK?

Very small configuration. ISA 2004 running on Windows 2003 as a firewall/proxy for various clients in a small office. Clients use POP3 & external SMTP servers for email.

System's been working for many months with no problems.

Suddenly the system seems to be blocking *large* smtp emails,  over 1k or so.  This happens for all clients (both Windows & Mac) and any email (pop3/smtp) client - Outlook, Entourage, Thunderbird, OWA.  Receiving via POP3 is fine regardless of size,  as is web access (streaming radio's fine!).

This means that if you test a client by telnetting to an SMTP server (on port 25, etc.),  the email goes OK.  Similarly it works if you use the 'test' facility in Outlook (or any other email client).  If you send a small email from any email client,  it generally works.  However once you send a larger email then it hangs halfway through the send.

I've configured OWA on the ISA server to test this and can send emails of any size.  I then configured OWA on a client behind ISA and sent a small email - fine.  Sending a larger email meant the sending progress bar stops at about 5%.  It eventually times out.

Configuring ISA to block SMTP stopped all access as expected (e.g. telnet stopped).  Unconfiguring that block enabled the telnet test,  and again,  the larger emails are blocked.

There are no problems with bandwidth or other access to the web.  The server's been rebooted a couple of times and the logs don't seem to show anything particulaly interesting.


I'm really at my wits end with this one!  It must be something really dumb going on here.


TIA,
Glenn
LVL 3
GlennGilbertAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
OK. Have you got the latest isa2004 service pack installed?
Open the GUI, select monitoring - alerts. Anything listed?
Check your windows event logs - anything in there?

What is the relationship between the pop3 and the smtp services?
How have you published your mail server rule?
What rule do you have for allowing smtp traffic to leave?
GlennGilbertAuthor Commented:
Now this is total madness.  I was pulling my hair out last night.  Come in today and it's all working - it's as if it's calling me a liar.  How I hate IT sometimes.

...

Running ISA2004 build 4.0.2161.50.  Just downloading and will be installing SP2.
No alerts (except service started).

I've configured a monitor for all events and saved the raw file.  There's quite a few denied SMTP messages from 217.12.12.124 - which looks up as pop802.mail.ukl.yahoo.com (but responds as smtp811.mail.ukl.yahoo.com when telnetting).

Just to re-iterate;  there's no SMTP server at this office - it's a very small office with a few client computers and no internet-connected servers (except ISA). The client computers will connect to the ISPs SMTP server.  And this has been working fine for many months.

Now this is odd.  There's a load of "Denied Connection" actions with a client IP of 'my' dialup IP address (it uses DHCP so varies) and a destination address of 217.12.12.124

There's also a few "Denied Connection" actions against the ISP (i.e. the legitimate SMTP server).

The Windows event log is showing a few:
  Event Type:      Warning, Event Source:      Microsoft Firewal
  Event Category: Packet filter,  Event ID: 15104
  Date: 09/03/2006,  Time: 23:42:31
  ISA Server detected a port scan attack from Internet Protocol (IP) address 217.12.12.124.

I'm a little confused about analysing the 'logging' results.  I don't understand why it's showing a client IP of my internet connection,  but a destination of what seems to be Yahoo.  It doesn't make sense.


Any ideas ... ?
Glenn
GlennGilbertAuthor Commented:
Oh, the other rules:  just setting up a rather loose firewall.  Set up full access rules - I realise it's less secure,  but it's easier!
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Keith AlabasterEnterprise ArchitectCommented:
Its an added bonus from Experts-Exchange Glenn. I thought it should work and told it by brain waves..... :) I Wish lol

In isa gui,
select configuration - general - Enable Intrusion Detection and DNS Attack Detection

The bottom option is enable port scan detection. If the ISA sees more than X packets come in within a certain time frame it can drop them. I normally leave this unticked as generally its not a port scan but simply a lot of traffic.

Depending on how things are set, the client could be your NAT address.
GlennGilbertAuthor Commented:
Thanks - it was set - now not.  I suppose it's possible that ISA decided to drop packets for some reason better known to itself.

I think it was the NAT address.

Have you any ideas about why there seems to be this traffic to the Yahoo address?  It seems odd that none of the client should be 'talking' to this address - certainly not as SMTP.
Keith AlabasterEnterprise ArchitectCommented:
Sorry, is that 'one' or 'none'?
GlennGilbertAuthor Commented:
It should be "none of the clients should be talking to this address" (and I can vouch that they _shouldn't_ be talking to that address).
Keith AlabasterEnterprise ArchitectCommented:
Anyone using Yahoo mail? Yahoo Messenger?
What is the client IP? Is it a server or workstation?
GlennGilbertAuthor Commented:
Definitely not using Yahoo mail.

The log seems to indicate that the "original client" is the same as the "client IP" which appears to be the external NAT address (broadband modem).
The "Result Code" is "0xc0040015 FWX_E_TCPIPDROP_PACKET_DROPPED"

Odd.
Keith AlabasterEnterprise ArchitectCommented:
Have you got any browser toolbars installed?
Keith AlabasterEnterprise ArchitectCommented:
PS RDP is just the example they have used.
GlennGilbertAuthor Commented:
Damn.  I realise that as part of the debugging process I configured a client to use an alternative SMTP server.  In this case the ISP uses Yahoo servers - trust me to forget that!

I'm still interested in the analysis of the logs.  There's a fair few 0x80074e21 events (closed connection) on SMTP which seem to tie in with the larger emails - the bytes sent varies, but is around 12-19kb.

The article above does explain this in relation to RDP,  but I'm not sure how it relates to SMTP where the server's always available.

The other question is the many 0xc0040015 FWX_E_TCPIPDROP_PACKET_DROPPED events.  These seem to show the external interface and the Yahoo server - and 0 processing time.

Any idea about these events?

Keith AlabasterEnterprise ArchitectCommented:
Temporarily, turn of the scans.
click on configuration - general - Enable Intrusion Detection and DNS Attack Detection
turn off the protections and the errors will likely go.

However, these ARE your protection methods.
Could be some malformed packets coing in. Could also be some smtp commands that are not supported.
You could also select monitoring - dashboard.
Watch the packets comining in on the performance trace and in the alerts.

I get the messages periodically but it will need another question to go through the debugging stages. When I have debugged mine, they are have all been a valid drop (ISA is doing its job of protecting me)

regards
keith

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
quick questions, what is the size limit you have on your mail server's smtp connector? Ex2003 for instance has a default of 10MB. Have you changed this at all? Do you receive your smtp from a smarthost or through DNS & MX records directly?
GlennGilbertAuthor Commented:
Thanks for your help Keith.  I've updated the build of ISA and the server,  so with a bit of luck this won't happen again.  I've also got some useful references to enable me to check out the logs.
Keith AlabasterEnterprise ArchitectCommented:
Welcome. Always here :)
regards
Keith
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.