GlennGilbert
asked on
ISA seems to be blocking LARGE smtp emails - small OK?
Very small configuration. ISA 2004 running on Windows 2003 as a firewall/proxy for various clients in a small office. Clients use POP3 & external SMTP servers for email.
System's been working for many months with no problems.
Suddenly the system seems to be blocking *large* smtp emails, over 1k or so. This happens for all clients (both Windows & Mac) and any email (pop3/smtp) client - Outlook, Entourage, Thunderbird, OWA. Receiving via POP3 is fine regardless of size, as is web access (streaming radio's fine!).
This means that if you test a client by telnetting to an SMTP server (on port 25, etc.), the email goes OK. Similarly it works if you use the 'test' facility in Outlook (or any other email client). If you send a small email from any email client, it generally works. However once you send a larger email then it hangs halfway through the send.
I've configured OWA on the ISA server to test this and can send emails of any size. I then configured OWA on a client behind ISA and sent a small email - fine. Sending a larger email meant the sending progress bar stops at about 5%. It eventually times out.
Configuring ISA to block SMTP stopped all access as expected (e.g. telnet stopped). Unconfiguring that block enabled the telnet test, and again, the larger emails are blocked.
There are no problems with bandwidth or other access to the web. The server's been rebooted a couple of times and the logs don't seem to show anything particulaly interesting.
I'm really at my wits end with this one! It must be something really dumb going on here.
TIA,
Glenn
System's been working for many months with no problems.
Suddenly the system seems to be blocking *large* smtp emails, over 1k or so. This happens for all clients (both Windows & Mac) and any email (pop3/smtp) client - Outlook, Entourage, Thunderbird, OWA. Receiving via POP3 is fine regardless of size, as is web access (streaming radio's fine!).
This means that if you test a client by telnetting to an SMTP server (on port 25, etc.), the email goes OK. Similarly it works if you use the 'test' facility in Outlook (or any other email client). If you send a small email from any email client, it generally works. However once you send a larger email then it hangs halfway through the send.
I've configured OWA on the ISA server to test this and can send emails of any size. I then configured OWA on a client behind ISA and sent a small email - fine. Sending a larger email meant the sending progress bar stops at about 5%. It eventually times out.
Configuring ISA to block SMTP stopped all access as expected (e.g. telnet stopped). Unconfiguring that block enabled the telnet test, and again, the larger emails are blocked.
There are no problems with bandwidth or other access to the web. The server's been rebooted a couple of times and the logs don't seem to show anything particulaly interesting.
I'm really at my wits end with this one! It must be something really dumb going on here.
TIA,
Glenn
ASKER
Now this is total madness. I was pulling my hair out last night. Come in today and it's all working - it's as if it's calling me a liar. How I hate IT sometimes.
...
Running ISA2004 build 4.0.2161.50. Just downloading and will be installing SP2.
No alerts (except service started).
I've configured a monitor for all events and saved the raw file. There's quite a few denied SMTP messages from 217.12.12.124 - which looks up as pop802.mail.ukl.yahoo.com (but responds as smtp811.mail.ukl.yahoo.com
Just to re-iterate; there's no SMTP server at this office - it's a very small office with a few client computers and no internet-connected servers (except ISA). The client computers will connect to the ISPs SMTP server. And this has been working fine for many months.
Now this is odd. There's a load of "Denied Connection" actions with a client IP of 'my' dialup IP address (it uses DHCP so varies) and a destination address of 217.12.12.124
There's also a few "Denied Connection" actions against the ISP (i.e. the legitimate SMTP server).
The Windows event log is showing a few:
Event Type: Warning, Event Source: Microsoft Firewal
Event Category: Packet filter, Event ID: 15104
Date: 09/03/2006, Time: 23:42:31
ISA Server detected a port scan attack from Internet Protocol (IP) address 217.12.12.124.
I'm a little confused about analysing the 'logging' results. I don't understand why it's showing a client IP of my internet connection, but a destination of what seems to be Yahoo. It doesn't make sense.
Any ideas ... ?
Glenn
...
Running ISA2004 build 4.0.2161.50. Just downloading and will be installing SP2.
No alerts (except service started).
I've configured a monitor for all events and saved the raw file. There's quite a few denied SMTP messages from 217.12.12.124 - which looks up as pop802.mail.ukl.yahoo.com (but responds as smtp811.mail.ukl.yahoo.com
Just to re-iterate; there's no SMTP server at this office - it's a very small office with a few client computers and no internet-connected servers (except ISA). The client computers will connect to the ISPs SMTP server. And this has been working fine for many months.
Now this is odd. There's a load of "Denied Connection" actions with a client IP of 'my' dialup IP address (it uses DHCP so varies) and a destination address of 217.12.12.124
There's also a few "Denied Connection" actions against the ISP (i.e. the legitimate SMTP server).
The Windows event log is showing a few:
Event Type: Warning, Event Source: Microsoft Firewal
Event Category: Packet filter, Event ID: 15104
Date: 09/03/2006, Time: 23:42:31
ISA Server detected a port scan attack from Internet Protocol (IP) address 217.12.12.124.
I'm a little confused about analysing the 'logging' results. I don't understand why it's showing a client IP of my internet connection, but a destination of what seems to be Yahoo. It doesn't make sense.
Any ideas ... ?
Glenn
ASKER
Oh, the other rules: just setting up a rather loose firewall. Set up full access rules - I realise it's less secure, but it's easier!
Its an added bonus from Experts-Exchange Glenn. I thought it should work and told it by brain waves..... :) I Wish lol
In isa gui,
select configuration - general - Enable Intrusion Detection and DNS Attack Detection
The bottom option is enable port scan detection. If the ISA sees more than X packets come in within a certain time frame it can drop them. I normally leave this unticked as generally its not a port scan but simply a lot of traffic.
Depending on how things are set, the client could be your NAT address.
In isa gui,
select configuration - general - Enable Intrusion Detection and DNS Attack Detection
The bottom option is enable port scan detection. If the ISA sees more than X packets come in within a certain time frame it can drop them. I normally leave this unticked as generally its not a port scan but simply a lot of traffic.
Depending on how things are set, the client could be your NAT address.
ASKER
Thanks - it was set - now not. I suppose it's possible that ISA decided to drop packets for some reason better known to itself.
I think it was the NAT address.
Have you any ideas about why there seems to be this traffic to the Yahoo address? It seems odd that none of the client should be 'talking' to this address - certainly not as SMTP.
I think it was the NAT address.
Have you any ideas about why there seems to be this traffic to the Yahoo address? It seems odd that none of the client should be 'talking' to this address - certainly not as SMTP.
Sorry, is that 'one' or 'none'?
ASKER
It should be "none of the clients should be talking to this address" (and I can vouch that they _shouldn't_ be talking to that address).
Anyone using Yahoo mail? Yahoo Messenger?
What is the client IP? Is it a server or workstation?
What is the client IP? Is it a server or workstation?
ASKER
Definitely not using Yahoo mail.
The log seems to indicate that the "original client" is the same as the "client IP" which appears to be the external NAT address (broadband modem).
The "Result Code" is "0xc0040015 FWX_E_TCPIPDROP_PACKET_DRO
Odd.
The log seems to indicate that the "original client" is the same as the "client IP" which appears to be the external NAT address (broadband modem).
The "Result Code" is "0xc0040015 FWX_E_TCPIPDROP_PACKET_DRO
Odd.
Have you got any browser toolbars installed?
PS RDP is just the example they have used.
ASKER
Damn. I realise that as part of the debugging process I configured a client to use an alternative SMTP server. In this case the ISP uses Yahoo servers - trust me to forget that!
I'm still interested in the analysis of the logs. There's a fair few 0x80074e21 events (closed connection) on SMTP which seem to tie in with the larger emails - the bytes sent varies, but is around 12-19kb.
The article above does explain this in relation to RDP, but I'm not sure how it relates to SMTP where the server's always available.
The other question is the many 0xc0040015 FWX_E_TCPIPDROP_PACKET_DRO
Any idea about these events?
I'm still interested in the analysis of the logs. There's a fair few 0x80074e21 events (closed connection) on SMTP which seem to tie in with the larger emails - the bytes sent varies, but is around 12-19kb.
The article above does explain this in relation to RDP, but I'm not sure how it relates to SMTP where the server's always available.
The other question is the many 0xc0040015 FWX_E_TCPIPDROP_PACKET_DRO
Any idea about these events?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
quick questions, what is the size limit you have on your mail server's smtp connector? Ex2003 for instance has a default of 10MB. Have you changed this at all? Do you receive your smtp from a smarthost or through DNS & MX records directly?
ASKER
Thanks for your help Keith. I've updated the build of ISA and the server, so with a bit of luck this won't happen again. I've also got some useful references to enable me to check out the logs.
Welcome. Always here :)
regards
Keith
regards
Keith
Open the GUI, select monitoring - alerts. Anything listed?
Check your windows event logs - anything in there?
What is the relationship between the pop3 and the smtp services?
How have you published your mail server rule?
What rule do you have for allowing smtp traffic to leave?