Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Firewall issue with SMTP traffic

Posted on 2007-10-04
5
Medium Priority
?
348 Views
Last Modified: 2013-11-30
Howdy Experts!

I have a problem with my firewall automatically blocking some mail servers, due to a perceived intrusion attack.  I can resolve this with 'exceptions' but am finding that I need to do this more often than I would like.  I have run packet traces from outside the firewall (put a hub between the firewall and the cable modem, and attached Wireshark) and it appears the firewall is working correctly.  The remote mail server is sending an (I think) unneccesary packet on port 113, which is unopened, and my firewall starts blocking the server thinking it is an intrusion attempt.  

Here is the packet activity for a blocked communication - 74.95.xxx.xxx is my mail server, and 216.46.xxx.xxx is the remote mail server.  
1.  74.95.xxx.xxx -- 216.46.xxx.xxx TCP 10049 > SMTP [SYN]
2.  216.46.xxx.xxx -- 74.95.xxx.xxx TCP SMTP > 10049 [SYN,ACK]
3.  74.95.xxx.xxx -- 216.46.xxx.xxx TCP 10049 > SMTP [ACK]
4.  216.46.xxx.xxx -- 74.95.xxx.xxx TCP 44090 > AUTH [SYN]
5.  74.95.xxx.xxx -- 216.46.xxx.xxx ICMP Destnation unreachable
6.  216.46.xxx.xxx -- 74.95.xxx.xxx SMTP Response: 220 mail.remotemailserver.com ESMTP Sendmail

The problem is packet 4 - this comes in on port 113, my firewall blocks it as an intrusion attempt and begins temporarily blocking that IP.  Packet 6 (which repeats in subsequent packets) are ignored.  

Why/what is packet #4, and why is the remote mail server sending it?  Again, I know I can set my mail server to allow an exception for this remote mail server, but I have now got 4 remote mail servers that need this exception.  That doesn't seem right.

Thanks in advance for any ideas, help.  

-Thorin
0
Comment
Question by:Thorin
  • 3
  • 2
5 Comments
 
LVL 2

Accepted Solution

by:
flames1100 earned 1400 total points
ID: 20016668
Appears to be the remote server sending authentication/identification data over UDP to port 113 to gather info on the client maybe?  Just looked it up and one site said if it caused problems closed to forward the port to a unused internal IP.  Never tried that, though.  They also mentioned you could open that port, but you take some risk in doing so.  Do you have an IP setup just for SMTP or anything?
0
 
LVL 2

Author Comment

by:Thorin
ID: 20017516
Hi flames1100,

Thanks for the response.  Can you provide your information source?  I would like to do some reading on it too.  I do not have an IP setup specifically for SMTP, the firewall does NAT for anything receivied over 25 to the mail server.  All packets go through the firewalll....does that help?

-thorin
0
 
LVL 2

Expert Comment

by:flames1100
ID: 20017737
I referenced a couple articles on Google, plus we have our SMTP setup on a specific IP to keep it separate and to make it easier to troubleshoot and such.  Hope these help (and are accurate)!

http://www.grc.com/port_113.htm

http://www.auditmypc.com/port/udp-port-113.asp
0
 
LVL 2

Author Comment

by:Thorin
ID: 20017893
flames110,

thanks...I had just found that GRC article - why do I always forget about that site?!?  Anyway thanks for the info.  Looks like I need to open a support case with the firewall vendor to figure out a better way of handling this.  

-thorin
0
 
LVL 2

Expert Comment

by:flames1100
ID: 20017926
Glad I could help.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
In this article, I will demonstrate that how to do a PST migration from Exchange Server to Office 365. This method allows importing one single PST, or multiple PST's at once.
how to add IIS SMTP to handle application/Scanner relays into office 365.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month15 days, 23 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question