Thorin
asked on
Firewall issue with SMTP traffic
Howdy Experts!
I have a problem with my firewall automatically blocking some mail servers, due to a perceived intrusion attack. I can resolve this with 'exceptions' but am finding that I need to do this more often than I would like. I have run packet traces from outside the firewall (put a hub between the firewall and the cable modem, and attached Wireshark) and it appears the firewall is working correctly. The remote mail server is sending an (I think) unneccesary packet on port 113, which is unopened, and my firewall starts blocking the server thinking it is an intrusion attempt.
Here is the packet activity for a blocked communication - 74.95.xxx.xxx is my mail server, and 216.46.xxx.xxx is the remote mail server.
1. 74.95.xxx.xxx -- 216.46.xxx.xxx TCP 10049 > SMTP [SYN]
2. 216.46.xxx.xxx -- 74.95.xxx.xxx TCP SMTP > 10049 [SYN,ACK]
3. 74.95.xxx.xxx -- 216.46.xxx.xxx TCP 10049 > SMTP [ACK]
4. 216.46.xxx.xxx -- 74.95.xxx.xxx TCP 44090 > AUTH [SYN]
5. 74.95.xxx.xxx -- 216.46.xxx.xxx ICMP Destnation unreachable
6. 216.46.xxx.xxx -- 74.95.xxx.xxx SMTP Response: 220 mail.remotemailserver.com ESMTP Sendmail
The problem is packet 4 - this comes in on port 113, my firewall blocks it as an intrusion attempt and begins temporarily blocking that IP. Packet 6 (which repeats in subsequent packets) are ignored.
Why/what is packet #4, and why is the remote mail server sending it? Again, I know I can set my mail server to allow an exception for this remote mail server, but I have now got 4 remote mail servers that need this exception. That doesn't seem right.
Thanks in advance for any ideas, help.
-Thorin
I have a problem with my firewall automatically blocking some mail servers, due to a perceived intrusion attack. I can resolve this with 'exceptions' but am finding that I need to do this more often than I would like. I have run packet traces from outside the firewall (put a hub between the firewall and the cable modem, and attached Wireshark) and it appears the firewall is working correctly. The remote mail server is sending an (I think) unneccesary packet on port 113, which is unopened, and my firewall starts blocking the server thinking it is an intrusion attempt.
Here is the packet activity for a blocked communication - 74.95.xxx.xxx is my mail server, and 216.46.xxx.xxx is the remote mail server.
1. 74.95.xxx.xxx -- 216.46.xxx.xxx TCP 10049 > SMTP [SYN]
2. 216.46.xxx.xxx -- 74.95.xxx.xxx TCP SMTP > 10049 [SYN,ACK]
3. 74.95.xxx.xxx -- 216.46.xxx.xxx TCP 10049 > SMTP [ACK]
4. 216.46.xxx.xxx -- 74.95.xxx.xxx TCP 44090 > AUTH [SYN]
5. 74.95.xxx.xxx -- 216.46.xxx.xxx ICMP Destnation unreachable
6. 216.46.xxx.xxx -- 74.95.xxx.xxx SMTP Response: 220 mail.remotemailserver.com ESMTP Sendmail
The problem is packet 4 - this comes in on port 113, my firewall blocks it as an intrusion attempt and begins temporarily blocking that IP. Packet 6 (which repeats in subsequent packets) are ignored.
Why/what is packet #4, and why is the remote mail server sending it? Again, I know I can set my mail server to allow an exception for this remote mail server, but I have now got 4 remote mail servers that need this exception. That doesn't seem right.
Thanks in advance for any ideas, help.
-Thorin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I referenced a couple articles on Google, plus we have our SMTP setup on a specific IP to keep it separate and to make it easier to troubleshoot and such. Hope these help (and are accurate)!
http://www.grc.com/port_113.htm
http://www.auditmypc.com/port/udp-port-113.asp
http://www.grc.com/port_113.htm
http://www.auditmypc.com/port/udp-port-113.asp
ASKER
flames110,
thanks...I had just found that GRC article - why do I always forget about that site?!? Anyway thanks for the info. Looks like I need to open a support case with the firewall vendor to figure out a better way of handling this.
-thorin
thanks...I had just found that GRC article - why do I always forget about that site?!? Anyway thanks for the info. Looks like I need to open a support case with the firewall vendor to figure out a better way of handling this.
-thorin
Glad I could help.
ASKER
Thanks for the response. Can you provide your information source? I would like to do some reading on it too. I do not have an IP setup specifically for SMTP, the firewall does NAT for anything receivied over 25 to the mail server. All packets go through the firewalll....does that help?
-thorin