Skrettis
asked on
Tracing incoming mail, suddenly gone?
An user cant seem to receive emails from an specified sender, when the sender attatches files, (jpg images). (0.5-1 mbyte in size).
When the sender removes the images, the mail goes through to the user.
Thei firewall is an Fortigate 60, running with content filtering, and they run Lotus Domino, with Domino admin 6.5 for mail.
When tracking the mail in the firewall, the message is not tagged as spam in the firewall, and is logged as a normal email message:
2007-01-18 11:31:40 signori.xxxxxxx@fondmetal. com Per.xxxxx@xxxxxxxx.no R: pictures
fondmetal's MX record gives me:
mail.fondmetal.com. A IN 86400 195.137.129.1
drake.tzm.net. A IN 86400 195.137.128.30
zagor.tzm.net. A IN 86400 195.137.128.31
From the Domino server console, the mail isnt logged at all:
18.01.2007 11:33:14 SMTP Server: 42.175.36.72.reverse.layer edtech.com (72.36.175.42) connected
18.01.2007 11:33:14 SMTP Server: 42.175.36.72.reverse.layer edtech.com (72.36.175.42) disconnected. 0 message[s] received
18.01.2007 11:33:14 SMTP Server: I-Teco-gw.transtelecom.net (217.150.47.29) connected
18.01.2007 11:33:15 SMTP Server: I-Teco-gw.transtelecom.net (217.150.47.29) disconnected. 0 message[s] received
18.01.2007 11:35:48 SMTP Server: 60.53.88.124 connected
18.01.2007 11:35:51 SMTP Server: 60.53.88.124 disconnected. 0 message[s] received
18.01.2007 11:35:52 SMTP Server: host-48-234.pool.intred.it (62.97.48.234) connected
18.01.2007 11:36:44 SMTP Server: host-48-234.pool.intred.it (62.97.48.234) disconnected. 0 message[s] received
18.01.2007 11:40:19 Router: Transferring mail to domain YOKOHAMA.IT (host 188.YOKOHAMA.IT [83.103.83.188]) via SMTP
18.01.2007 11:40:20 Router: Transferred 1 messages to YOKOHAMA.IT (host 188.YOKOHAMA.IT) via SMTP
18.01.2007 11:40:24 Router: Message 003A8F46 transferred to 188.YOKOHAMA.IT for info@yokohama.it via SMTP
Theres a 4-5 minute clock difference from the firewall and the domino server, so adding 4-5 minutes to the firewall time makes it right when comparing with the domino server log.
I cant find any trace of the mail message when using the message tracking function in Domino Admin.
None of the ipadresses correspond either, so its like it never made it through to the domino server, but the mail did indeed pass through the firewall.
Theres an plain port forwarding in the firewall, no load balancing with several servers or things like that.
Any tip for whats happening here?
When the sender removes the images, the mail goes through to the user.
Thei firewall is an Fortigate 60, running with content filtering, and they run Lotus Domino, with Domino admin 6.5 for mail.
When tracking the mail in the firewall, the message is not tagged as spam in the firewall, and is logged as a normal email message:
2007-01-18 11:31:40 signori.xxxxxxx@fondmetal.
fondmetal's MX record gives me:
mail.fondmetal.com. A IN 86400 195.137.129.1
drake.tzm.net. A IN 86400 195.137.128.30
zagor.tzm.net. A IN 86400 195.137.128.31
From the Domino server console, the mail isnt logged at all:
18.01.2007 11:33:14 SMTP Server: 42.175.36.72.reverse.layer
18.01.2007 11:33:14 SMTP Server: 42.175.36.72.reverse.layer
18.01.2007 11:33:14 SMTP Server: I-Teco-gw.transtelecom.net
18.01.2007 11:33:15 SMTP Server: I-Teco-gw.transtelecom.net
18.01.2007 11:35:48 SMTP Server: 60.53.88.124 connected
18.01.2007 11:35:51 SMTP Server: 60.53.88.124 disconnected. 0 message[s] received
18.01.2007 11:35:52 SMTP Server: host-48-234.pool.intred.it
18.01.2007 11:36:44 SMTP Server: host-48-234.pool.intred.it
18.01.2007 11:40:19 Router: Transferring mail to domain YOKOHAMA.IT (host 188.YOKOHAMA.IT [83.103.83.188]) via SMTP
18.01.2007 11:40:20 Router: Transferred 1 messages to YOKOHAMA.IT (host 188.YOKOHAMA.IT) via SMTP
18.01.2007 11:40:24 Router: Message 003A8F46 transferred to 188.YOKOHAMA.IT for info@yokohama.it via SMTP
Theres a 4-5 minute clock difference from the firewall and the domino server, so adding 4-5 minutes to the firewall time makes it right when comparing with the domino server log.
I cant find any trace of the mail message when using the message tracking function in Domino Admin.
None of the ipadresses correspond either, so its like it never made it through to the domino server, but the mail did indeed pass through the firewall.
Theres an plain port forwarding in the firewall, no load balancing with several servers or things like that.
Any tip for whats happening here?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In the admin client, go to Configuration Tab, choose your server and look under the messaging view.
The last Tab is rules, but the other tabs may have oter restrictions.
Also check the Admin client help under rules
I hope this helps !
The last Tab is rules, but the other tabs may have oter restrictions.
Also check the Admin client help under rules
I hope this helps !
In help see
Setting server mail rules
Setting server mail rules
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Theres no server rules Tab, neither from what Sysexpert explained or where the help in the admin client explainer it would be, this would mean that there are no rules defined i guess?
I found some old "leftovers" from an Symantec mail security for domino, checking out this now.
I found some old "leftovers" from an Symantec mail security for domino, checking out this now.
I just had a similar problem with our Domino 6.5.4 install. We have a spam filter that we outsource to another company, they were saying that we had a ton of mail qued up on their server and it mostly looked like spam. It ended up being our Firewall, Cisco ASA 5510, we had the following lines in it,
policy-map global_policy
class inspection_default
inspect esmtp
and basically what was going on is the spam filter/mail server would connect to domino, then it would start sending the mail using a command that firewall did not like (see below for a list of what the ASA device looks for) and it would terminate the connection, hence Domino would not have a chance to kick an error code back, think it would have been tough even to see this on a sniffer, which was my next test. So for me it was the firewall. Good luck,
Chiprock,
ESMTP inspection operates in the same way that SMTP inspection does. Packets with illegal commands are modified to an "xxxx" pattern and forwarded to the server, which triggers a negative reply. An illegal ESMTP command is any command except for these commands:
AUTH
DATA
EHLO
ETRN
HELO
HELP
HELP
MAIL
NOOP
QUIT
RCPT
RSET
SAML
SEND
SOML
VRFY
ESMTP inspection also examines these extensions via deeper command inspection:
Message Size Declaration (SIZE)
Remote Queue Processing Declaration (ETRN)
Binary MIME (BINARYMIME)
Command Pipelining
Authentication
Delivery Status Notification (DSN)
Enhanced Status Code (ENHANCEDSTATUSCODE)
8-bit MIMEtransport (8BITMIME)
policy-map global_policy
class inspection_default
inspect esmtp
and basically what was going on is the spam filter/mail server would connect to domino, then it would start sending the mail using a command that firewall did not like (see below for a list of what the ASA device looks for) and it would terminate the connection, hence Domino would not have a chance to kick an error code back, think it would have been tough even to see this on a sniffer, which was my next test. So for me it was the firewall. Good luck,
Chiprock,
ESMTP inspection operates in the same way that SMTP inspection does. Packets with illegal commands are modified to an "xxxx" pattern and forwarded to the server, which triggers a negative reply. An illegal ESMTP command is any command except for these commands:
AUTH
DATA
EHLO
ETRN
HELO
HELP
HELP
NOOP
QUIT
RCPT
RSET
SAML
SEND
SOML
VRFY
ESMTP inspection also examines these extensions via deeper command inspection:
Message Size Declaration (SIZE)
Remote Queue Processing Declaration (ETRN)
Binary MIME (BINARYMIME)
Command Pipelining
Authentication
Delivery Status Notification (DSN)
Enhanced Status Code (ENHANCEDSTATUSCODE)
8-bit MIMEtransport (8BITMIME)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>Theres no server rules Tab<< Hmmm...
Open the Public Address Book
Click on Configuration
Then Messaging
Then Under Messaging click on Configurations
If there isn't a Configurations document, then you need to create one.
If there is a configurations document for your smtp server, then open that document.
Click on the Router/SMTP tab
Then click on Restrictions and Controls tab to view the inbound/outbound/Rules for that server.
Open the Public Address Book
Click on Configuration
Then Messaging
Then Under Messaging click on Configurations
If there isn't a Configurations document, then you need to create one.
If there is a configurations document for your smtp server, then open that document.
Click on the Router/SMTP tab
Then click on Restrictions and Controls tab to view the inbound/outbound/Rules for that server.
ASKER
I actually found an Symantec Mail security for domino installation now, just have to figure out how to access the web interface since it isnt working, but I bet this is whats yanking the emails.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
SysExpert: it did help, but alle the logs and quarantine folders were empty. Looks like it never have been active? Anyway i will uninstall it tonight since we have other spam/virus scanning devices.
From what ive seen it looks like it was the Symantec software that did this, so ill split points between what I felt was helpful here.
From what ive seen it looks like it was the Symantec software that did this, so ill split points between what I felt was helpful here.
ASKER
The firewall have 2 "recent" lists, for recent emails gone through it, one for normail mail, and one for mail tagged as spam, and its not listed in the spam list, but in the "legal" mail list.
>Are there any Domino Rules set up for content filtering ?
How do i check this? I didnt set up the Domino installation, so im not sure about this.