Solved

Funky SMTP connection termination

Posted on 2009-05-12
4
782 Views
Last Modified: 2013-11-30
We a small network with about 25 users and host our own Exchange and our own spam box, that sits "between" the firewall (Cisco ASA 5505) and the Exchange box (Server 2003 w/ Exchange 2003)... The Cisco ASA 5505 routes all (MX) port 25 traffic to our spam "server," which is a dedicated Windows XP Pro box that houses our spam software (Praetor). Besides the occasional delayed delivery issues cause by XP Pro's virtual SMTP server only allowing 10 concurrent connections, we are having some vexing SMTP issues. This issue seems to be mainly with ATT-Worldnet, but I have had it happen to a couple of G-mail emails as well. Here's the issue:

The spam box will accept the SMTP connection, but then the session ends (is terminated) before transferring any data (the email). To me it looks like it is the ATT server sending the QUIT, but ATT is saying that we are blocking them... And I can guarantee that we are not blocking them, or anyone else for that matter. And its not the spam software terminating the connection due to the AT&T server being on an RBL, as the connection is terminated before the spam software can even act&
Ive included the SMTP logs for one of the troubled connections as well as a good connection from a Gmail account that shows the proper connection flow, including the scanning by the spam software and the transfer to the Exchange server for final delivery to the recipient. Ive also included the header information from an AT&T email on which the connection was canceled&

BAD CONNECTION:
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 EHLO - +fmailhost06.isp.att.net 250 0 177 28 0 SMTP - - - -
---
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 MAIL - +FROM:<rj@att.net> 250 0 43 40 16 SMTP - - - -
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 RCPT - +TO:<rj@my-domain.com> 250 0 41 38 0 SMTP - - - -
---
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 QUIT - fmailhost06.isp.att.net 0 875 46 4 328 SMTP - - - -

GOOD CONNECTION:
2009-05-12 16:03:42 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 EHLO - +mail-gx0-f158.google.com 250 0 176 29 0 SMTP - - - -
---
2009-05-12 16:03:43 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 MAIL - +FROM:<rj@gmail.com> 250 0 45 32 0 SMTP - - - -
2009-05-12 16:03:43 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 RCPT - +TO:<rj@my-domain.com> 250 0 41 38 0 SMTP - - - -
2009-05-12 16:03:43 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 DATA - +<ac41179b0905120908p3003bc4eh555647e0d52bde30@mail.gmail.com> 250 0 145 1708 78 SMTP - - - -
2009-05-12 16:03:43 - OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 220+EXCHANGE01.my-domain.com+Microsoft+ESMTP+MAIL+Service,+Version:+6.0.3790.3959+ready+at++Tue,+12+May+2009+12:06:08+-0400+ 0 0 128 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 EHLO - Praetor.my-domain.com 0 0 4 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 250-EXCHANGE01.my-domain.com+Hello+[192.168.0.32] 0 0 53 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 MAIL - FROM:<rj@gmail.com> 0 0 4 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 250+2.1.0+rj@gmail.com....Sender+OK 0 0 43 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 RCPT - TO:<rj@my-domain.com> 0 0 4 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 250+2.1.5+rj@my-domain.com+ 0 0 39 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 BDAT - 1987+LAST 0 0 4 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 250+2.6.0++<ac41179b0905120908p3003bc4eh555647e0d52bde30@mail.gmail.com>+Queued+mail+for+delivery 0 0 97 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 QUIT - - 0 0 4 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 221+2.0.0+EXCHANGE01.my-domain.com+Service+closing+transmission+channel 0 0 75 0 16 SMTP - - - -
---
2009-05-12 16:04:14 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 QUIT - mail-gx0-f158.google.com 0 30328 74 4 0 SMTP - - - -

BAD EMAIL HEADER:
From postmaster@isp.att.net Tue May 12 01:13:58 2009
Return-Path: <>
Authentication-Results: mta144.sbc.mail.mud.yahoo.com  from=isp.att.net; domainkeys=neutral (no sig); from=isp.att.net; dkim=neutral (no  sig)
Received: from 204.127.217.106  (EHLO fmailhost06.isp.att.net) (204.127.217.106)
  by mta144.sbc.mail.mud.yahoo.com with SMTP; Tue, 12 May 2009 01:14:15 -0700
Received: from fmailhost06.isp.att.net (localhost[127.0.0.1])
          by isp.att.net (frfwmhc06) with ESMTP
          id <20090512081414H0600rqsq7e>; Tue, 12 May 2009 08:14:14 +0000
From: postmaster@isp.att.net
Subject: Returned mail: delivery problems encountered
Message-Id: <20090512081358H060074g00e@isp.att.net>
Date: 12 May 2009  8:13:58 +0000
To: <ricjenkins@att.net>
Mime-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="_4a092fc6.1c90.0+isp.att.net=_"
Content-Length: 2317


Any information or assistance would be greatly appreciated. Thanks.

Ric J.
0
Comment
Question by:ricjenkins
  • 2
  • 2
4 Comments
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24367143
Have you turned off the SMTP mail guard or whatever it is called on the ASA device? That can cause this problem.

Simon.
0
 

Author Comment

by:ricjenkins
ID: 24367637
No I haven't. I would imagine that if that were it, it would affect ALL SMTP connections and email... And it's only affecting AT&T Worldnet email, almost exclusively. I'll look at it though. Thanks.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24370393
Alas no.
It causes problems with certain types of connections. On the predecessor (PIX) it was so notorious that Microsoft actually had a KB article on how to turn it off!

Simon.
0
 

Author Closing Comment

by:ricjenkins
ID: 31580630
This appears to have done it! On the ASA5505 it's under the ESMTP policy inspection. Go to Configuration > Security Policy > Service Policy Rules > *edit policy* Rule Actions > Protocol Inspection, and un-check ESMTP, and apply (and copy to flash). I had the troubled address send a few test emails and I got them all just fine! Thanks a bunch for the help!  
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SMTP using .net w/o mail server 2 67
unable to download Address Book 21 55
Email Headers 5 55
What Exchange User Permissions Does One have? 7 35
Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question