Firewall issue with SMTP traffic

Posted on 2007-10-04
Last Modified: 2013-11-30
Howdy Experts!

I have a problem with my firewall automatically blocking some mail servers, due to a perceived intrusion attack.  I can resolve this with 'exceptions' but am finding that I need to do this more often than I would like.  I have run packet traces from outside the firewall (put a hub between the firewall and the cable modem, and attached Wireshark) and it appears the firewall is working correctly.  The remote mail server is sending an (I think) unneccesary packet on port 113, which is unopened, and my firewall starts blocking the server thinking it is an intrusion attempt.  

Here is the packet activity for a blocked communication - is my mail server, and is the remote mail server.  
1. -- TCP 10049 > SMTP [SYN]
2. -- TCP SMTP > 10049 [SYN,ACK]
3. -- TCP 10049 > SMTP [ACK]
4. -- TCP 44090 > AUTH [SYN]
5. -- ICMP Destnation unreachable
6. -- SMTP Response: 220 ESMTP Sendmail

The problem is packet 4 - this comes in on port 113, my firewall blocks it as an intrusion attempt and begins temporarily blocking that IP.  Packet 6 (which repeats in subsequent packets) are ignored.  

Why/what is packet #4, and why is the remote mail server sending it?  Again, I know I can set my mail server to allow an exception for this remote mail server, but I have now got 4 remote mail servers that need this exception.  That doesn't seem right.

Thanks in advance for any ideas, help.  

Question by:Thorin
    LVL 2

    Accepted Solution

    Appears to be the remote server sending authentication/identification data over UDP to port 113 to gather info on the client maybe?  Just looked it up and one site said if it caused problems closed to forward the port to a unused internal IP.  Never tried that, though.  They also mentioned you could open that port, but you take some risk in doing so.  Do you have an IP setup just for SMTP or anything?
    LVL 2

    Author Comment

    Hi flames1100,

    Thanks for the response.  Can you provide your information source?  I would like to do some reading on it too.  I do not have an IP setup specifically for SMTP, the firewall does NAT for anything receivied over 25 to the mail server.  All packets go through the firewalll....does that help?

    LVL 2

    Expert Comment

    I referenced a couple articles on Google, plus we have our SMTP setup on a specific IP to keep it separate and to make it easier to troubleshoot and such.  Hope these help (and are accurate)!
    LVL 2

    Author Comment


    thanks...I had just found that GRC article - why do I always forget about that site?!?  Anyway thanks for the info.  Looks like I need to open a support case with the firewall vendor to figure out a better way of handling this.  

    LVL 2

    Expert Comment

    Glad I could help.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
    This video discusses moving either the default database or any database to a new volume.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now