ricjenkins
asked on
Funky SMTP connection termination
We a small network with about 25 users and host our own Exchange and our own spam box, that sits "between" the firewall (Cisco ASA 5505) and the Exchange box (Server 2003 w/ Exchange 2003)... The Cisco ASA 5505 routes all (MX) port 25 traffic to our spam "server," which is a dedicated Windows XP Pro box that houses our spam software (Praetor). Besides the occasional delayed delivery issues cause by XP Pro's virtual SMTP server only allowing 10 concurrent connections, we are having some vexing SMTP issues. This issue seems to be mainly with ATT-Worldnet, but I have had it happen to a couple of G-mail emails as well. Here's the issue:
The spam box will accept the SMTP connection, but then the session ends (is terminated) before transferring any data (the email). To me it looks like it is the ATT server sending the QUIT, but ATT is saying that we are blocking them... And I can guarantee that we are not blocking them, or anyone else for that matter. And its not the spam software terminating the connection due to the AT&T server being on an RBL, as the connection is terminated before the spam software can even act&
Ive included the SMTP logs for one of the troubled connections as well as a good connection from a Gmail account that shows the proper connection flow, including the scanning by the spam software and the transfer to the Exchange server for final delivery to the recipient. Ive also included the header information from an AT&T email on which the connection was canceled&
BAD CONNECTION:
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 EHLO - +fmailhost06.isp.att.net 250 0 177 28 0 SMTP - - - -
---
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 MAIL - +FROM:<rj@att.net> 250 0 43 40 16 SMTP - - - -
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 RCPT - +TO:<rj@my-domain.com> 250 0 41 38 0 SMTP - - - -
---
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 QUIT - fmailhost06.isp.att.net 0 875 46 4 328 SMTP - - - -
GOOD CONNECTION:
2009-05-12 16:03:42 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 EHLO - +mail-gx0-f158.google.com 250 0 176 29 0 SMTP - - - -
---
2009-05-12 16:03:43 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 MAIL - +FROM:<rj@gmail.com> 250 0 45 32 0 SMTP - - - -
2009-05-12 16:03:43 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 RCPT - +TO:<rj@my-domain.com> 250 0 41 38 0 SMTP - - - -
2009-05-12 16:03:43 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 DATA - +<ac41179b0905120908p3003b c4eh555647 e0d52bde30 @mail.gmai l.com> 250 0 145 1708 78 SMTP - - - -
2009-05-12 16:03:43 - OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 220+EXCHANGE01.my-domain.c om+Microso ft+ESMTP+M AIL+Servic e,+Version :+6.0.3790 .3959+read y+at++Tue, +12+May+20 09+12:06:0 8+-0400+ 0 0 128 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 EHLO - Praetor.my-domain.com 0 0 4 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 250-EXCHANGE01.my-domain.c om+Hello+[ 192.168.0. 32] 0 0 53 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 MAIL - FROM:<rj@gmail.com> 0 0 4 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 250+2.1.0+rj@gmail.com.... Sender+OK 0 0 43 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 RCPT - TO:<rj@my-domain.com> 0 0 4 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 250+2.1.5+rj@my-domain.com + 0 0 39 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 BDAT - 1987+LAST 0 0 4 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 250+2.6.0++<ac41179b090512 0908p3003b c4eh555647 e0d52bde30 @mail.gmai l.com>+Que ued+mail+f or+deliver y 0 0 97 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 QUIT - - 0 0 4 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse SMTPSVC1 PRAETOR - 25 - - 221+2.0.0+EXCHANGE01.my-do main.com+S ervice+clo sing+trans mission+ch annel 0 0 75 0 16 SMTP - - - -
---
2009-05-12 16:04:14 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 QUIT - mail-gx0-f158.google.com 0 30328 74 4 0 SMTP - - - -
BAD EMAIL HEADER:
From postmaster@isp.att.net Tue May 12 01:13:58 2009
Return-Path: <>
Authentication-Results: mta144.sbc.mail.mud.yahoo. com from=isp.att.net; domainkeys=neutral (no sig); from=isp.att.net; dkim=neutral (no sig)
Received: from 204.127.217.106 (EHLO fmailhost06.isp.att.net) (204.127.217.106)
by mta144.sbc.mail.mud.yahoo. com with SMTP; Tue, 12 May 2009 01:14:15 -0700
Received: from fmailhost06.isp.att.net (localhost[127.0.0.1])
by isp.att.net (frfwmhc06) with ESMTP
id <20090512081414H0600rqsq7e >; Tue, 12 May 2009 08:14:14 +0000
From: postmaster@isp.att.net
Subject: Returned mail: delivery problems encountered
Message-Id: <20090512081358H060074g00e @isp.att.n et>
Date: 12 May 2009 8:13:58 +0000
To: <ricjenkins@att.net>
Mime-Version: 1.0
Content-Type: multipart/report; report-type=delivery-statu s; boundary="_4a092fc6.1c90.0 +isp.att.n et=_"
Content-Length: 2317
Any information or assistance would be greatly appreciated. Thanks.
Ric J.
The spam box will accept the SMTP connection, but then the session ends (is terminated) before transferring any data (the email). To me it looks like it is the ATT server sending the QUIT, but ATT is saying that we are blocking them... And I can guarantee that we are not blocking them, or anyone else for that matter. And its not the spam software terminating the connection due to the AT&T server being on an RBL, as the connection is terminated before the spam software can even act&
Ive included the SMTP logs for one of the troubled connections as well as a good connection from a Gmail account that shows the proper connection flow, including the scanning by the spam software and the transfer to the Exchange server for final delivery to the recipient. Ive also included the header information from an AT&T email on which the connection was canceled&
BAD CONNECTION:
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 EHLO - +fmailhost06.isp.att.net 250 0 177 28 0 SMTP - - - -
---
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 MAIL - +FROM:<rj@att.net> 250 0 43 40 16 SMTP - - - -
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 RCPT - +TO:<rj@my-domain.com> 250 0 41 38 0 SMTP - - - -
---
2009-05-11 08:40:56 204.127.217.106 fmailhost06.isp.att.net SMTPSVC1 PRAETOR 192.168.0.32 0 QUIT - fmailhost06.isp.att.net 0 875 46 4 328 SMTP - - - -
GOOD CONNECTION:
2009-05-12 16:03:42 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 EHLO - +mail-gx0-f158.google.com 250 0 176 29 0 SMTP - - - -
---
2009-05-12 16:03:43 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 MAIL - +FROM:<rj@gmail.com> 250 0 45 32 0 SMTP - - - -
2009-05-12 16:03:43 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 RCPT - +TO:<rj@my-domain.com> 250 0 41 38 0 SMTP - - - -
2009-05-12 16:03:43 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 DATA - +<ac41179b0905120908p3003b
2009-05-12 16:03:43 - OutboundConnectionResponse
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 EHLO - Praetor.my-domain.com 0 0 4 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 MAIL - FROM:<rj@gmail.com> 0 0 4 0 0 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 RCPT - TO:<rj@my-domain.com> 0 0 4 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 BDAT - 1987+LAST 0 0 4 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionCommand SMTPSVC1 PRAETOR - 25 QUIT - - 0 0 4 0 16 SMTP - - - -
2009-05-12 16:03:43 EXCHANGE.my-domain.com OutboundConnectionResponse
---
2009-05-12 16:04:14 209.85.217.158 mail-gx0-f158.google.com SMTPSVC1 PRAETOR 192.168.0.32 0 QUIT - mail-gx0-f158.google.com 0 30328 74 4 0 SMTP - - - -
BAD EMAIL HEADER:
From postmaster@isp.att.net Tue May 12 01:13:58 2009
Return-Path: <>
Authentication-Results: mta144.sbc.mail.mud.yahoo.
Received: from 204.127.217.106 (EHLO fmailhost06.isp.att.net) (204.127.217.106)
by mta144.sbc.mail.mud.yahoo.
Received: from fmailhost06.isp.att.net (localhost[127.0.0.1])
by isp.att.net (frfwmhc06) with ESMTP
id <20090512081414H0600rqsq7e
From: postmaster@isp.att.net
Subject: Returned mail: delivery problems encountered
Message-Id: <20090512081358H060074g00e
Date: 12 May 2009 8:13:58 +0000
To: <ricjenkins@att.net>
Mime-Version: 1.0
Content-Type: multipart/report; report-type=delivery-statu
Content-Length: 2317
Any information or assistance would be greatly appreciated. Thanks.
Ric J.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Alas no.
It causes problems with certain types of connections. On the predecessor (PIX) it was so notorious that Microsoft actually had a KB article on how to turn it off!
Simon.
It causes problems with certain types of connections. On the predecessor (PIX) it was so notorious that Microsoft actually had a KB article on how to turn it off!
Simon.
ASKER
This appears to have done it! On the ASA5505 it's under the ESMTP policy inspection. Go to Configuration > Security Policy > Service Policy Rules > *edit policy* Rule Actions > Protocol Inspection, and un-check ESMTP, and apply (and copy to flash). I had the troubled address send a few test emails and I got them all just fine! Thanks a bunch for the help!
ASKER