Re: [fw-wiz] Weird SMTP issue

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 09/16/04

Next message: Mark Teicher: "Re: [fw-wiz] "upgrade" for Gauntlet"

Previous message: R. DuFresne: "[fw-wiz] IPv6 redo;;"
In reply to: Philip J. Koenig: "[fw-wiz] Weird SMTP issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 17 Sep 2004 00:52:06 +0530

On 15/09/04 00:51 -0700, Philip J. Koenig wrote:
>
> Have been having a weird issue with SMTP traffic someone might have
> some suggestions about.
>
> Recently installed an SMTP MTA as an antispam box, running Linux and
> Brightmail anti-spam software. It is configured as the primary MX
> for the domains it handles, and forwards all legit messages to one of
> 2 final destination MTAs. It also sits behind a Netscreen 25
> firewall. (401_xx firmware)

        mailbox-|
                |----- MX ------ Netscreen ------ Internet
        mailbox-|

>
> The Netscreen is configured to allow all outgoing traffic from the
> Brightmail box and block incoming traffic by default. SMTP incoming
> traffic to the Brightmail box is allowed.
>
> When the Brightmail system was put in service and configured to
> forward certain spam messages to a particular email account, I
> started getting constant Netscreen messages warning of "Port Scans"
> originating from the destination MTA back to the Brightmail box.
> Inevitably these "Port Scans" originate on port 25 on the destination
> MTA and the are sent to a high-numbered port on the Brightmail box.

Do you have packet traces? Do the alert generating packets show SYN bits
set without the ACK set?

<snip>
> Anyone have any ideas on where to look or how best to troubleshoot
> this?

tcpdump is your friend.

Can you have Brightmail forward the messages to an account behind the
netscreen? Is brightmail trying to connect to the external MTA to verify
the SMTP envelop sender?

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Mark Teicher: "Re: [fw-wiz] "upgrade" for Gauntlet"

Previous message: R. DuFresne: "[fw-wiz] IPv6 redo;;"
In reply to: Philip J. Koenig: "[fw-wiz] Weird SMTP issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[fw-wiz] Weird SMTP issue
... Have been having a weird issue with SMTP traffic someone might have ... Brightmail box and block incoming traffic by default. ... originating from the destination MTA back to the Brightmail box. ... Inevitably these "Port Scans" originate on port 25 on the destination ...
(Firewall-Wizards)
Good anti-spam programs for Exchange 2007, that can go on the same box (besides Forefront)?
... Brightmail will only work on another server acting as an smtp ... gateway.. ...
(microsoft.public.exchange.admin)