I have a customer who is experiencing some random email issues from different sender/s domains. At the begging, we suspected there was an issue with our Edge servers and some sort of filtering or spamming rules that were blocking those emails.
After further investigation with our cloud spam provider [Symantec Message Labs], they advised the error displayed below could be some sort of packet inspection at your firewalls and or IDS/IPS
Email flow below:
Email goes to external MX records managed by company X
Email flows from external world to Spam gateway provider [Message labs], from message labs flows to inbound edge 2013 servers.
Between Message labs and the edge servers are multiple firewall, IDS/IDP appliances with multiple rules
The problematic email was never delivered to our spam gateway because of error 4220.127.116.11 internal connection closed by remote host.
To clarify the connection error, this is being closed by the recipient server. It could be implying this is some form of packet inspect or firewall based blocks. We are able to connect to the primary route x.x.x.x and cannot replicate the issue.
Our spam gateway provider advised to investigate the reason for closing the connection when this particular email is attempted to be delivered on your server.
We disabled any content/attachment filtering at the Edge servers to remove Exchange inbound inspection from the equation, but issue persists.
Our infrastructure settings below
2 sites, each sites contains 3 Exchange 2013 MBX servers in a DAG, 2 CAS servers behind a F5 HLB, 2 Edge servers in a DMZ network for inbound email, then proxy all request to MBX servers
From a security point of view, we do have following equipment:
Firewalls checkpoint model 12000 CGL running GAIA version R77.20
NMS (network security manager) which is the device that manages the IPS/IDS
IPS/IDS Mcafee Instrushield 4050
We also have the intrushield 1400
On each site we have cluster with an active/standby configuration
2 gateways per site for high availability
What needs to be done at the IDS/IPS to fix this issue? Please provide instruction step by step depending on the hardware model and information provided above?
At the IDS/IPS, how can we detect if an inspection packet rule is blocking emails from certain domains/senders/ or with some rules, such as subject, body, attachment, and any other criteria?
How can I guarantee that my VIP users will not get email blocked by any of this packet inspection without putting on risk the security of the company?
What are the main setting to check on the security appliances for email inspection and validation?