Firewall issue with SMTP traffic
Posted on 2007-10-04
I have a problem with my firewall automatically blocking some mail servers, due to a perceived intrusion attack. I can resolve this with 'exceptions' but am finding that I need to do this more often than I would like. I have run packet traces from outside the firewall (put a hub between the firewall and the cable modem, and attached Wireshark) and it appears the firewall is working correctly. The remote mail server is sending an (I think) unneccesary packet on port 113, which is unopened, and my firewall starts blocking the server thinking it is an intrusion attempt.
Here is the packet activity for a blocked communication - 74.95.xxx.xxx is my mail server, and 216.46.xxx.xxx is the remote mail server.
1. 74.95.xxx.xxx -- 216.46.xxx.xxx TCP 10049 > SMTP [SYN]
2. 216.46.xxx.xxx -- 74.95.xxx.xxx TCP SMTP > 10049 [SYN,ACK]
3. 74.95.xxx.xxx -- 216.46.xxx.xxx TCP 10049 > SMTP [ACK]
4. 216.46.xxx.xxx -- 74.95.xxx.xxx TCP 44090 > AUTH [SYN]
5. 74.95.xxx.xxx -- 216.46.xxx.xxx ICMP Destnation unreachable
6. 216.46.xxx.xxx -- 74.95.xxx.xxx SMTP Response: 220 mail.remotemailserver.com ESMTP Sendmail
The problem is packet 4 - this comes in on port 113, my firewall blocks it as an intrusion attempt and begins temporarily blocking that IP. Packet 6 (which repeats in subsequent packets) are ignored.
Why/what is packet #4, and why is the remote mail server sending it? Again, I know I can set my mail server to allow an exception for this remote mail server, but I have now got 4 remote mail servers that need this exception. That doesn't seem right.
Thanks in advance for any ideas, help.