• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

Problem recieving certain emails from a particular user and random others from the same domain

The problem extends from just this particular email address, but I will just write about this particular email address for this problem.

There is a user from "client company" that just can't send to any of my users.  The client company has other users that send to us fine all of the time for the most part.  Tracking down to the loggin level here is what is happening.

------------------------------------------------
Send (theirs)
------------------------------------------------
2012-09-19T19:59:32.767Z,SMTP_Wooden,08CF4C3CB85CA699,0,,68.74.55.148:25,*,,attempting to connect
2012-09-19T19:59:32.774Z,SMTP_Wooden,08CF4C3CB85CA699,1,192.168.1.9:5234,68.74.55.148:25,+,,
2012-09-19T19:59:32.778Z,SMTP_Wooden,08CF4C3CB85CA699,2,192.168.1.9:5234,68.74.55.148:25,<,"220 woodenex1.woodmaclaw.local Microsoft ESMTP MAIL Service ready at Wed, 19 Sep 2012 15:59:32 -0400",
2012-09-19T19:59:32.778Z,SMTP_Wooden,08CF4C3CB85CA699,3,192.168.1.9:5234,68.74.55.148:25,>,EHLO ***.***.com,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,4,192.168.1.9:5234,68.74.55.148:25,<,250-woodenex1.woodmaclaw.local Hello [12.47.252.252],
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,5,192.168.1.9:5234,68.74.55.148:25,<,250-SIZE 10485760,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,6,192.168.1.9:5234,68.74.55.148:25,<,250-DSN,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,7,192.168.1.9:5234,68.74.55.148:25,<,250 AUTH,
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,8,192.168.1.9:5234,68.74.55.148:25,*,312547,sending message
2012-09-19T19:59:32.785Z,SMTP_Wooden,08CF4C3CB85CA699,9,192.168.1.9:5234,68.74.55.148:25,>,MAIL FROM:<***@***.com> SIZE=1940,
2012-09-19T19:59:32.792Z,SMTP_Wooden,08CF4C3CB85CA699,10,192.168.1.9:5234,68.74.55.148:25,<,250 2.1.0 Sender OK,
2012-09-19T19:59:32.792Z,SMTP_Wooden,08CF4C3CB85CA699,11,192.168.1.9:5234,68.74.55.148:25,>,RCPT TO:<bpumphrey@woodmclaw.com>,
2012-09-19T19:59:32.798Z,SMTP_Wooden,08CF4C3CB85CA699,12,192.168.1.9:5234,68.74.55.148:25,<,250 2.1.5 Recipient OK,
2012-09-19T19:59:32.798Z,SMTP_Wooden,08CF4C3CB85CA699,13,192.168.1.9:5234,68.74.55.148:25,>,DATA,
2012-09-19T19:59:32.801Z,SMTP_Wooden,08CF4C3CB85CA699,14,192.168.1.9:5234,68.74.55.148:25,<,354 Start mail input; end with <CRLF>.<CRLF>,
2012-09-19T19:59:40.075Z,SMTP_Wooden,08CF4C3CB85CA699,15,192.168.1.9:5234,68.74.55.148:25,<,250 OK,
2012-09-19T19:59:40.076Z,SMTP_Wooden,08CF4C3CB85CA699,16,192.168.1.9:5234,68.74.55.148:25,>,QUIT,
2012-09-19T19:59:45.081Z,SMTP_Wooden,08CF4C3CB85CA699,17,192.168.1.9:5234,68.74.55.148:25,<,221 2.0.0 Service closing transmission channel,
2012-09-19T19:59:45.081Z,SMTP_Wooden,08CF4C3CB85CA699,18,192.168.1.9:5234,68.74.55.148:25,-,,Local

------------------------------------------------
Recieve (mine)
------------------------------------------------
2012-09-19T20:07:25.726Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,1,10.1.1.19:25,12.47.252.252:65048,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2012-09-19T20:07:25.726Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,2,10.1.1.19:25,12.47.252.252:65048,>,"220 woodenex1.woodmaclaw.local Microsoft ESMTP MAIL Service ready at Wed, 19 Sep 2012 16:07:25 -0400",
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,3,10.1.1.19:25,12.47.252.252:65048,<,EHLO ***.***.com,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,4,10.1.1.19:25,12.47.252.252:65048,>,250-woodenex1.woodmaclaw.local Hello [12.47.252.252],
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,5,10.1.1.19:25,12.47.252.252:65048,>,250-SIZE 10485760,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,6,10.1.1.19:25,12.47.252.252:65048,>,250-PIPELINING,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,7,10.1.1.19:25,12.47.252.252:65048,>,250-DSN,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,8,10.1.1.19:25,12.47.252.252:65048,>,250-ENHANCEDSTATUSCODES,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,9,10.1.1.19:25,12.47.252.252:65048,>,250-STARTTLS,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,10,10.1.1.19:25,12.47.252.252:65048,>,250-AUTH,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,11,10.1.1.19:25,12.47.252.252:65048,>,250-8BITMIME,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,12,10.1.1.19:25,12.47.252.252:65048,>,250-BINARYMIME,
2012-09-19T20:07:25.742Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,13,10.1.1.19:25,12.47.252.252:65048,>,250 CHUNKING,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,14,10.1.1.19:25,12.47.252.252:65048,<,MAIL FROM:<semberton@prmic.com> SIZE=1950,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,15,10.1.1.19:25,12.47.252.252:65048,*,08CF54DB59839F05;2012-09-19T20:07:25.726Z;1,receiving message
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,16,10.1.1.xx:25,12.47.252.252:65048,>,250 2.1.0 Sender OK,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,17,10.1.1.xx:25,12.47.252.252:65048,<,RCPT TO:<bpumphrey@woodmclaw.com>,
2012-09-19T20:07:25.851Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,18,10.1.1.xx:25,12.47.252.252:65048,>,250 2.1.5 Recipient OK,
2012-09-19T20:07:28.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,19,10.1.1.19:25,12.47.252.252:65048,<,RSET,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,20,10.1.1.19:25,12.47.252.252:65048,>,250 2.0.0 Resetting,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,21,10.1.1.19:25,12.47.252.252:65048,<,QUIT ,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,22,10.1.1.19:25,12.47.252.252:65048,>,221 2.0.0 Service closing transmission channel,
2012-09-19T20:07:33.835Z,WOODENEX1\xxx - Connector,08CF54DB59839F05,23,10.1.1.19:25,12.47.252.252:65048,-,,Local

What it looks like is that something is getting burgered up where the RSET occurs, like my server is getting a premature RSET command.

Any thoughts?
0
getwidth28
Asked:
getwidth28
  • 7
  • 5
1 Solution
 
Henk van AchterbergSr. Technical ConsultantCommented:
Is there a firewall in between with an ALG (Application Level Gateway) enabled for SMTP?
0
 
getwidth28Author Commented:
I should have put this part in the description of the problem.

The party and I have setup a send and recieve connector between our exhchange server so that it would bypass my spam filter MTA all together, but the problem still persists.  

Will you give me an example of the ALG's?  Are you reffering to things such as the Windows Firewall, or Symantec firewall, etc?
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
A Cisco ASA for example has an Inspection Policy where it can inspect (E)SMTP traffic and can send RSET command's if the SMTP traffic does not follow certain rules thus ending mail conversations.

So I am talking about a hardware firewalls, are there any present between both servers and if so which brand/SW version.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
getwidth28Author Commented:
I at least know my side.  There is a Cisco 515pix on my side.

Internet --> 515 --> exchange

Cisco PIX Security Appliance Software Version 7.2(3)
0
 
getwidth28Author Commented:
defense# show config | grep inspect
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
0
 
getwidth28Author Commented:
That is my cisco.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
In your pix please take a look at the inspection policy and enable the inspection of SMTP and try again.
0
 
getwidth28Author Commented:
Per my previous post, doesn't look like smtp inpect is on right?
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
When I posted the answer you replied with your config :).

My experience is that when you have probs you have to disabled inspection, it seems disabled at your end. The RSET packet though is being send from a device, prob. a firwall in between.

Can you discover what the other end is running?
0
 
getwidth28Author Commented:
I asked....
"The consultant for xxx setup the current firewall, has been in place for months. It is possible but I don’t think it likely"

So I'll see tomorrow.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
If you have the option you could monitor the traffic coming from the internet (place a hub and put the ASA/WAN/your PC in it) and listen with wireshark. Then you can see if the RSET command is comming from their end or it is being sent by the PIX.

P.S. If you use a switch you will have to put the WAN port in montitor mode so a hub is much easier :)
0
 
getwidth28Author Commented:
Ok, problem solved.  Your tips were certainly in the right direction.  Here is what transpired.

- I opened a MS ticket through technet.  They would support me only some because my excahgne server is VMWare.  They mentioned just as you, that it might be getting messed up by a firewall or something.  He had me change a couple of settings in the connector whic helped, however it wasn't the source of the problem and the problem in general was still there.

- The other party opened a ticket with MS.  He done a packet capture on both ends.  He noticed that when telneting to my exchange server that my server was only retunring 4 banners instead of the 10 or so.

- While MS was looking at the logs, the other IT person and I did some general testing on the banners, figureing out that for sure my side was blocking something because of the lack of banners.

- I remember a Untangle web filter applicance type of machine that I have had setup for at least 2 years, probably longer.  The virus blocker was causing it.  After I turned the Virus Blocker off on the Untangle server it fixed the problem.

My bad for a flag of it might being the problem, but I didn't even think of it because it had been setup for so long and I wasn't running a firewall on it that I didn't flag it as the possible problem.  

The virus checker did have checkmarks inside of its setting to scan SMTP, so there it was.

Argh, its always a turd type of answer for "major" problems.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now