joedelapaz
asked on
SMTP traffic being disconnected after DATA is sent
Hello All,
I have an issue with one particular e-newsletter that needs to come into our network, but is being dropped for some reason.
The incoming email trajectory is:
A Cisco 2811 as our border router
Nokia IP 1220 Firewall
Sophos ES1000 Email Filter
(The transmission does not get this far. However, we have:)
SurfControl Content Filter
Exchange 2003 Front End
Exchange 2003 Back End
I have pored over our border router and Firewall logs and we can see the smtp conversations for this particular email being green-lighted and passing through.
I've also been working with the Sophos tech and he can see the following in the appliance logs.
Feb 11 TZMA01 postfix/smtpd[53381]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[53381]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54383]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54383]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[52946]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[52946]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54376]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54376]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54409]: connect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54409]: D1E4B2220241: client=external.mail.com[2
Feb 11 TZMA01 postfix/smtpd[54409]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54409]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54508]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54508]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[69227]: connect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[69227]: BB12122202C8: client=external.mail.com[2
Feb 11 TZMA01 postfix/smtpd[69227]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[69227]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[53226]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[53226]: disconnect from external.mail.com[203.xxx.
However, he cannot give me a reason for the disconnection.
The appliance itself is not registering the email spam (as yet) because it does not look as though the SMTP communication is finishing successfully.
By running a sniffer over the connection we can see pretty much the whole email come through, apart from the last few expected packets and the all important <.> end transmission sequence.
Our next testing step is to bypass Sophos and Surfcontrol altogether and go straight to the Exchange FE. This will only be for a very short time in order to test the extent of this particular issue (and mitigate risks).
Also, our MTU size is currently set to 1492. I will probably test setting this to 1500 and see if it works.
Has anyone seen these symptoms before?
Any assistance would be appreciated as I have exhausted all options from my end.
Thanks in advance.
Joe
I have an issue with one particular e-newsletter that needs to come into our network, but is being dropped for some reason.
The incoming email trajectory is:
A Cisco 2811 as our border router
Nokia IP 1220 Firewall
Sophos ES1000 Email Filter
(The transmission does not get this far. However, we have:)
SurfControl Content Filter
Exchange 2003 Front End
Exchange 2003 Back End
I have pored over our border router and Firewall logs and we can see the smtp conversations for this particular email being green-lighted and passing through.
I've also been working with the Sophos tech and he can see the following in the appliance logs.
Feb 11 TZMA01 postfix/smtpd[53381]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[53381]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54383]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54383]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[52946]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[52946]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54376]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54376]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54409]: connect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54409]: D1E4B2220241: client=external.mail.com[2
Feb 11 TZMA01 postfix/smtpd[54409]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54409]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54508]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[54508]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[69227]: connect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[69227]: BB12122202C8: client=external.mail.com[2
Feb 11 TZMA01 postfix/smtpd[69227]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[69227]: disconnect from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[53226]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 TZMA01 postfix/smtpd[53226]: disconnect from external.mail.com[203.xxx.
However, he cannot give me a reason for the disconnection.
The appliance itself is not registering the email spam (as yet) because it does not look as though the SMTP communication is finishing successfully.
By running a sniffer over the connection we can see pretty much the whole email come through, apart from the last few expected packets and the all important <.> end transmission sequence.
Our next testing step is to bypass Sophos and Surfcontrol altogether and go straight to the Exchange FE. This will only be for a very short time in order to test the extent of this particular issue (and mitigate risks).
Also, our MTU size is currently set to 1492. I will probably test setting this to 1500 and see if it works.
Has anyone seen these symptoms before?
Any assistance would be appreciated as I have exhausted all options from my end.
Thanks in advance.
Joe
ASKER
we have a fairly substantial connection to the internet. somewhere within the realm of 20 mb.
and utilisation on this pipe is at a healthy level
i can confirm that the telnet connection test was successful
this is the only email that we are having issues with. all other emails are fine or at least not reporting any issues.
I've checked the logs and cannot see any other similar dropout issues that would indicate a larger problem at hand
This newsletter is sent to external and internal recipients every monday morning. At last count this newsletter is being sent to 800 external recipients and 200 internal recipients. People out on the web have not reported any issues receiving the mail. However, entry into our organisation is proving elusive.
and utilisation on this pipe is at a healthy level
i can confirm that the telnet connection test was successful
this is the only email that we are having issues with. all other emails are fine or at least not reporting any issues.
I've checked the logs and cannot see any other similar dropout issues that would indicate a larger problem at hand
This newsletter is sent to external and internal recipients every monday morning. At last count this newsletter is being sent to 800 external recipients and 200 internal recipients. People out on the web have not reported any issues receiving the mail. However, entry into our organisation is proving elusive.
ASKER
oh, and I'm trying to get a hold of the logs with timestamps. I need to get them from the Sophos tech. So hopefully I can post them up soon.
ASKER
Here is the updated log with timestamps as requested.
Thanks very much for your help thus far. Much appreciated.
Feb 11 00:06:38 TZES01 postfix/smtpd[53171]: 6C5E722202AF: client=external.mail.com[2
Feb 11 00:06:38 TZES01 postfix/smtpd[53171]: disconnect from external.mail.com[203.xxx.
Feb 11 00:06:57 TZES01 postfix/smtpd[66386]: connect from external.mail.com[203.xxx.
Feb 11 00:06:57 TZES01 postfix/smtpd[66386]: A6CBE22202BF: client=external.mail.com[2
Feb 11 00:07:02 TZES01 postfix/smtpd[66460]: connect from external.mail.com[203.xxx.
Feb 11 00:07:02 TZES01 postfix/smtpd[66460]: ED78522202D0: client=external.mail.com[2
Feb 11 00:07:03 TZES01 postfix/smtpd[66460]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:07:03 TZES01 postfix/smtpd[66460]: disconnect from external.mail.com[203.xxx.
Feb 11 00:07:16 TZES01 postfix/smtpd[69234]: connect from external.mail.com[203.xxx.
Feb 11 00:07:17 TZES01 postfix/smtpd[69234]: 4DEBD2220207: client=external.mail.com[2
Feb 11 00:07:18 TZES01 postfix/smtpd[69234]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:07:18 TZES01 postfix/smtpd[69234]: disconnect from external.mail.com[203.xxx.
Feb 11 00:07:26 TZES01 postfix/smtpd[69229]: connect from external.mail.com[203.xxx.
Feb 11 00:07:26 TZES01 postfix/smtpd[69229]: A9DDD222022A: client=external.mail.com[2
Feb 11 00:07:34 TZES01 postfix/smtpd[52755]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:07:34 TZES01 postfix/smtpd[52755]: disconnect from external.mail.com[203.xxx.
Feb 11 00:07:56 TZES01 postfix/smtpd[53227]: connect from external.mail.com[203.xxx.
Feb 11 00:07:56 TZES01 postfix/smtpd[53227]: E5D5722202CD: client=external.mail.com[2
Feb 11 00:07:57 TZES01 postfix/smtpd[53227]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:07:57 TZES01 postfix/smtpd[53227]: disconnect from external.mail.com[203.xxx.
Feb 11 00:08:10 TZES01 postfix/smtpd[54466]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:08:10 TZES01 postfix/smtpd[54466]: disconnect from external.mail.com[203.xxx.
Feb 11 00:08:28 TZES01 postfix/smtpd[53381]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:08:28 TZES01 postfix/smtpd[53381]: disconnect from external.mail.com[203.xxx.
Feb 11 00:08:36 TZES01 postfix/smtpd[54383]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:08:36 TZES01 postfix/smtpd[54383]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:07 TZES01 postfix/smtpd[52946]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:09:07 TZES01 postfix/smtpd[52946]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:26 TZES01 postfix/smtpd[54376]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:09:26 TZES01 postfix/smtpd[54376]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:44 TZES01 postfix/smtpd[54409]: connect from external.mail.com[203.xxx.
Feb 11 00:09:44 TZES01 postfix/smtpd[54409]: D1E4B2220241: client=external.mail.com[2
Feb 11 00:09:45 TZES01 postfix/smtpd[54409]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:09:45 TZES01 postfix/smtpd[54409]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:56 TZES01 postfix/smtpd[54508]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:09:56 TZES01 postfix/smtpd[54508]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:56 TZES01 postfix/smtpd[69227]: connect from external.mail.com[203.xxx.
Feb 11 00:09:56 TZES01 postfix/smtpd[69227]: BB12122202C8: client=external.mail.com[2
Feb 11 00:09:57 TZES01 postfix/smtpd[69227]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:09:57 TZES01 postfix/smtpd[69227]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:59 TZES01 postfix/smtpd[53226]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:09:59 TZES01 postfix/smtpd[53226]: disconnect from external.mail.com[203.xxx.
Thanks very much for your help thus far. Much appreciated.
Feb 11 00:06:38 TZES01 postfix/smtpd[53171]: 6C5E722202AF: client=external.mail.com[2
Feb 11 00:06:38 TZES01 postfix/smtpd[53171]: disconnect from external.mail.com[203.xxx.
Feb 11 00:06:57 TZES01 postfix/smtpd[66386]: connect from external.mail.com[203.xxx.
Feb 11 00:06:57 TZES01 postfix/smtpd[66386]: A6CBE22202BF: client=external.mail.com[2
Feb 11 00:07:02 TZES01 postfix/smtpd[66460]: connect from external.mail.com[203.xxx.
Feb 11 00:07:02 TZES01 postfix/smtpd[66460]: ED78522202D0: client=external.mail.com[2
Feb 11 00:07:03 TZES01 postfix/smtpd[66460]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:07:03 TZES01 postfix/smtpd[66460]: disconnect from external.mail.com[203.xxx.
Feb 11 00:07:16 TZES01 postfix/smtpd[69234]: connect from external.mail.com[203.xxx.
Feb 11 00:07:17 TZES01 postfix/smtpd[69234]: 4DEBD2220207: client=external.mail.com[2
Feb 11 00:07:18 TZES01 postfix/smtpd[69234]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:07:18 TZES01 postfix/smtpd[69234]: disconnect from external.mail.com[203.xxx.
Feb 11 00:07:26 TZES01 postfix/smtpd[69229]: connect from external.mail.com[203.xxx.
Feb 11 00:07:26 TZES01 postfix/smtpd[69229]: A9DDD222022A: client=external.mail.com[2
Feb 11 00:07:34 TZES01 postfix/smtpd[52755]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:07:34 TZES01 postfix/smtpd[52755]: disconnect from external.mail.com[203.xxx.
Feb 11 00:07:56 TZES01 postfix/smtpd[53227]: connect from external.mail.com[203.xxx.
Feb 11 00:07:56 TZES01 postfix/smtpd[53227]: E5D5722202CD: client=external.mail.com[2
Feb 11 00:07:57 TZES01 postfix/smtpd[53227]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:07:57 TZES01 postfix/smtpd[53227]: disconnect from external.mail.com[203.xxx.
Feb 11 00:08:10 TZES01 postfix/smtpd[54466]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:08:10 TZES01 postfix/smtpd[54466]: disconnect from external.mail.com[203.xxx.
Feb 11 00:08:28 TZES01 postfix/smtpd[53381]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:08:28 TZES01 postfix/smtpd[53381]: disconnect from external.mail.com[203.xxx.
Feb 11 00:08:36 TZES01 postfix/smtpd[54383]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:08:36 TZES01 postfix/smtpd[54383]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:07 TZES01 postfix/smtpd[52946]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:09:07 TZES01 postfix/smtpd[52946]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:26 TZES01 postfix/smtpd[54376]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:09:26 TZES01 postfix/smtpd[54376]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:44 TZES01 postfix/smtpd[54409]: connect from external.mail.com[203.xxx.
Feb 11 00:09:44 TZES01 postfix/smtpd[54409]: D1E4B2220241: client=external.mail.com[2
Feb 11 00:09:45 TZES01 postfix/smtpd[54409]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:09:45 TZES01 postfix/smtpd[54409]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:56 TZES01 postfix/smtpd[54508]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:09:56 TZES01 postfix/smtpd[54508]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:56 TZES01 postfix/smtpd[69227]: connect from external.mail.com[203.xxx.
Feb 11 00:09:56 TZES01 postfix/smtpd[69227]: BB12122202C8: client=external.mail.com[2
Feb 11 00:09:57 TZES01 postfix/smtpd[69227]: lost connection after DATA from external.mail.com[203.xxx.
Feb 11 00:09:57 TZES01 postfix/smtpd[69227]: disconnect from external.mail.com[203.xxx.
Feb 11 00:09:59 TZES01 postfix/smtpd[53226]: timeout after DATA from external.mail.com[203.xxx.
Feb 11 00:09:59 TZES01 postfix/smtpd[53226]: disconnect from external.mail.com[203.xxx.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The time column is not reported, any chance of including this?
Also, how about establishing a test email from telnet, just to verify your connection?