Re: SPF+BEFSR41+MailWasher

From: Duane Arnold (
Date: 03/10/05

Date: Thu, 10 Mar 2005 17:45:17 GMT

"Brian" <> wrote in

> "Duane Arnold" <> wrote in message
> news:Xns9614B62D63E5Enotmenotmecom@
>> "Brian" <> wrote in
>> news:422f7199$0$14965$
>>> "Renegade" <> wrote in message
>>> news:CQGXd.110247$
>>>> On Wed, 09 Mar 2005 14:31:32 +0100, Brian wrote:
>>>>> I have a problem with MailWasher saying, "Skipped automatic mail
>>>>> check because the was no Internet connection" when, in fact, the
>>>>> ADSL connection
>>>>> has not been interrupted.
>>>>> This has been happening since I installed the Linksys switch and
>>>>> it shows up
>>>>> in the Sygate log as a blocked UDP response from the IP address of
>>>>> the switch.
>>>>> I can only assume that MailWasher is expecting a response from the
>>>>> mail server which is being blocked by SPF.
>>>>> Apart from allowing all UDP polls to pass through the firewall can
>>>>> anyone suggest a rule that would get over this problem?
>>>>> Brian
>>>> All you have to do is allow the UDP from the router to pass for the
>>>> apps in question. Some apps are written to expect the connection
>>>> first. If the packets that they are waiting for are being blocked,
>>>> the apps think that there is no connection.
>>> Thanks for the suggestion buy it looks like MailWasher is not
>>> waiting for the UDP poll because making an SPF rule to allow
>>> incoming UDPs for Mail Washer does not cure the problem. In fact,
>>> the log still shows incoming UDP as blocked. I guess it is
>>> reasonably safe to allow all incoming UDP as I am behind the Linksys
>>> switch so I will try that for a while.
>>> Brian
>> Yeah, I don't know what your problem is with Mailwasher. Sygate
>> should be set to trust the device IP of the router and should not be
>> blocking it. Since Mailwasher is making the requests for solicited
>> traffic from behind the router and the PFW solution, then they both
>> should allow inbound traffic to Mailwasher. I doubt that the router
>> is causing the blockage and you may want to drop Sygate and see what
>> happens, since the machine is protected by the router. I use
>> Mailwasher and have not had any problems due to the router.
> Mmm, I'm not convinced by that argument. UDP is a popular means of
> transporting malicious code so allowing all UDP polls, even behind a
> NAT router seems risky. I would prefer to have belt and braces as far
> as possible. A crafty hacker can always penetrate NAT.
> It seems that it is not MailWasher itself that is waitying for the UDP
> response but allowing all incoming UDP signals certainly cures the
> problem with MailWasher thinking the Internet connection has been
> lost. Presumably there is some other link that causes this to happen -
> but what? I'm still puzzled.
> Brian

All I am saying is drop Sygate to make sure that it was not causing the
problem with Mailwasher. You can turn Sygate back on if you needed to do
that. I use to use BlackIce and IPsec to supplement my old Linksys NAT
router. I did set rules with BI to trust the device IP of the router and
a range of private side IP(s) issued by the router. Nothing came past BI
that wasn't supposed to. Sygate is supposed to have IDS as well.

On the other hand, when I got the low-end WatchGuard (real FW) router,
then I was able to dump BI and IPsec and they don't run on any machines
any more supplementing anything --- not the WG. You may want to look into
getting a low-end (real FW) router.

Duane :)