Configure Symantec Endpoint Protection to allow SMTP to localhost

Hi there,
We have Symantec Endpoint Protection v11 installed on our server to handle the antivirus clients in our office.

A few of us have development PC's that run SMTP mail servers on Localhost to emulate the mail server settings on the web server that our web pages reside on.

The problem is that in order for the web pages to send emails we have to disable the antiviurs client on our PC's.  While this allows the emails to work, it's defeating the purpose of having antivirus on our machines in the first place.

I have been trying to set up a new rule in the default "Firewall policy" in the Symantec Endpoint Protection Manager on our server to allow port 25 to Localhost to work but it just won't work.

Can anybody tell me how to configure Endpoint to allow this to work on our clients?

Thanks
LVL 5
SoLostAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BawerCommented:
you can exclude the application from antivirus scanner...
0
m_elsheikhCommented:
You can create new policy for these machines (Antivirus and Antispyware policy), then remove INTERNET EMAIL AUTO PROTECT OPTION FROM IT
0
jhalapradeepCommented:
Hi,

I hope you are creating this rule for a particular group. Because the rules work on groups and not individual clients.

Now please follow these steps:

1) Open SEPM console
2) Click on Clients tab
3) Click on Policies tab under clients
4) UNCHECK inheritance (located on top of window)
5) Click on firewall policy and convert it to NON-Shared policy.
6) now open the firewall policy and click on rules
7) Now create a rule above the "blue line"
8) You should notice a blue line.. some rules are above it and some are below it.
9) now click on add rule and select network service.
10) put a check mark on SMTP server and click ok to create the rule
11) Now additionaly if you want you can also edit this rule to add the port for exclusion.
12) On the right side. click on "write to" option and select traffic log" so that we can track the logs and change the rule accordingly.
12) Now highlight this rule and click on Move Up button and move it to the top  so that other block rules does not over ride it.
13) Now click ok on the policy and wait for the clients to get updated with this policy. (You may force update by right click on group and select update content.
14) now test if this rule works for you.

Please let me know the results so that if we need we can tweek the rule accordingly.

Regards,
Pradeep Jhala
Symantec Technical Specialist (Endpoint Protection)
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

SoLostAuthor Commented:
Hi Jhala,
Unfortunately that did not help.

After doing what you suggested I told my client to update the policy and waited for the policy to update before testing.  Still no luck.

Checking the traffic logs on the client I can not see anything showing up that indicates that it's being blocked.

Any more thoughts?
SMTP-Localhost.JPG
0
jhalapradeepCommented:
Hi,

Ok, the rule seems to be created correctly as per the attached screenshot.
-Can you edit the rule and under Host rule try to add the host. And select the source/destination instead of local/remote.

Regards,
Pradeep Jhala
0
BawerCommented:
why don't you exclude the software from scanning list...
0
SoLostAuthor Commented:
Ok, I tried that but still no luck.

My PC's hostname is Alpha.  The IP range under "Destination" was added automatically but seems to include our entire subnet so thought that I'd leave it.

Are we looking in the right place?  I ask this because all of the "Block" rules have "Write to Traffic Log" set, but I'm not seeing anything in my clients Traffic Log.
SMTP-Localhost2.JPG
0
jhalapradeepCommented:
Hi,

You can also try this out:

If you have installed The Proactive Threat Protection component on the clients:
-> open the SEPM console
-> Click on Policy tab
-> Open Centralized exception policy and on the right hand pane... rightclick and add a policy.
-> now once the policy opens, click on centralized exceptions option on left
-> now click on add button and click on "True scan proactive threat scan exception" and select 'detected processes"
-> now this new windows will show any processes that are being blocked by truescan proactive threat protection.
-> If there is the email application/process listed, highlight it and under actinos, select ignore.
-> this will allow the listed process to run on the client.

-> But the process will be listed only if it is blocked by PTP scan.

Regards,
Pradeep Jhala
0
jhalapradeepCommented:
Hi,

It seems, we both were writing at the same time, so couldnt comment on your last post.
-Yes the rule created is fine and if it is now showing anything blocked in the client traffic log.. then actaually it is not blocking the SMTP traffic.
-So check the other possible cause that I mentioned in my last post.

Regards,
Pradeep Jhala
0
SoLostAuthor Commented:
Well... for some reason I'm not showing any detected processes... at all :(

Is there somewhere else?
SMTP-Localhost3.JPG
0
jhalapradeepCommented:
Hi,

yes there are no processes listed, so it means PTP is not in the picture here.
-> Now can you clarify on the email application?
->are you using exchange as email server or is it any other?
->The issue here as you mentioned is that. the emails are being sent from the webpages hosted on webservers, and the clients are not able to receive the emails unless you disable SEP on client. Is that correct? or you need to disable the SEP client on the webserver?
-> And the clients are receiving mails in their outlook or any other email client?
Please provide me more details on this issue if possible / try to elaborate the scenario.
This will help us narrow down the issue.
And last but not the least. what version of SEP you are using? the full version.

Regards,
Pradeep Jhala
0
SoLostAuthor Commented:
The issue isn't with our production environment.  it is with our in-house development PC's.

I am running Windows Vista with MailEnable (free edition) installed locally ( localhost ) to be an email server.  MailEnable then forwards the email to our exchange server.

Endpoint protection appears to be preventing email from being sent from scripts and apps on my PC to MailEnable on my PC (localhost).  The problem happens with vbscript, asp, asp.net.  If I specify the mail server to be anything other than "localhost" then it works fine.  If I disable the Endpoint Protection client on my PC, it works fine.  It's very strange.
0
jhalapradeepCommented:
Hi,

Thank you for this detailed information, now we have some more useful resource on this:)

Please check these symantec links for mailenable.

http://www.symantec.com/connect/articles/setting-mailenable-standard-routing-multiple-workflow-e-mails-one-box-testing

http://www.symantec.com/connect/forums/how-integrated-mailenable-symantec-endpoint-protection

Regards,
Pradeep Jhala
0
jhalapradeepCommented:
Hi,

Also check this link from mailenable forum: http://forum.mailenable.com/viewtopic.php?f=2&t=18468

Probably you might need to contact mailenable vendor for any latest updates or patch for this if they are aware.

Regards,
Pradeep Jhala
0
jhalapradeepCommented:
Also check this detailed procedure to configure antivirus plugin for mailenable.:
http://www.mailenable.com/kb/content/view.asp?ID=ME020199

-It seems symantec endpoint protection is not on their list.

Regards,
Pradeep Jhala
0
SoLostAuthor Commented:
Son of a !!!@@$!#!@#$!
While composing this message to you I have inadvertently solved my problem...  
I will go into more detail on this so that you and others can see what has happened.
My problem is that I'm not getting an SMTP connection to the mail server at all.

To verify this I ran two tests using Telnet.

Test 1 - Endpoint Protection client disabled

telnet localhost 25
Connecting to localhost . . .
220 mail.alpha.mydomain ESMTP MailEnable Service, Version: 4.22-- ready at 04/15/10 16:21:59
quit
These entries were in MailEnables activity log :
04/15/10 16:21:59 SMTP-IN E89E4CD4085841EC8C9CCCEECA614506.MAI 704 127.0.0.1   220 mail.gamma.easycall.co.nz ESMTP MailEnable Service, Version: 4.22-- ready at 04/15/10 16:21:59 0 0
04/15/10 16:23:55 SMTP-IN E89E4CD4085841EC8C9CCCEECA614506.MAI 704 127.0.0.1 QUIT quit 221 Service closing transmission channel 42 6
04/15/10 16:23:55 # ME-I0074: [704] (Debug) End of conversation
As you can see, I was able to successfully connect on port 25.


Test 2 - Endpoint Protection enabled

telnet localhost 25
Connecting to localhost . . .
The "Connecting to localhost" message disappears... long delay before finally coming back to the command prompt.  Nothing is recorded in MailEnables activity log.

If I telnet to another MailEnable email server it also works fine.

Solution
I decided to try telnetting to "127.0.0.1" instead of localhost.  AND IT WORKED!!!
This confused me as everybody knows that localhost and "127.0.0.1" are the same thing.
Thinking that maybe something was scrwed up with the way that localhost was set up I decided to ping it.
ping localhost
Pinging Alpha.mydomain [::1] from ::1 with 32 bytes of data:
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Ping statistics for ::1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
That's the wierdest response that I have ever seen.  I don't even know what "::1" is.  Shouldn't it have resolved "localhost" to be "127.0.0.1"?
 
So, I then decided to ping 127.0.0.1
ping 127.0.0.1
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

That's the type of response that I'm used to seeing.
I edited my hosts file and saw that there were two entries for localhost.
127.0.0.1       localhost
::1             localhost
I assume "::1" has something to do with IPv6.
I commented out the "::1" entry.
127.0.0.1       localhost
# ::1             localhost  
Suddenly I can send emails to localhost without any problems.
I removed all of the changes to the firewall settings that you suggested and it still works.
What the heck is going on here???  Does the Endpoint client not like IPv6 or something?
Does anyone know what the implications are of me leaving that commented out?  Is there a better solution to this problem?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jhalapradeepCommented:
Hi,

I appreciate that you figured out the cause of the issue.
Hi, it seems SEP firewall by default blocks all IPV6 traffic. Even with the rule disabled. As IPV6 is not yet supported with SEP firewall.
Please take a look at this articles:
http://www.symantec.com/connect/forums/ipv6-capabilities

http://www.symantec.com/connect/idea/implementation-ipv6-firewall-configuration-rules

Regards,
Pradeep Jhala

Regards,
Pradeep Jhala
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.