Hi

Starting about three weeks ago, some outbound emails stopped flowing =
properly (large emails to some domains with ip addresses very close to =
ours were not being delivered). Inbound email is fine. The PIX (version =
6.3(3)) syslog messages looked like this:

3/31/2006 19:38 built outbound tcp connection 268422 for =
outside:/25 (/25) to =
inside:/9112 (/34960)=20
3/31/2006 19:39 teardown tcp connection 268422 for =
outside:/25 to =
inside:/9112 duration 0:01:04 bytes 36129 tcp =
reset-o=20
3/31/2006 19:39 inbound tcp connection denied from =
/25 to /34960 flags rst on =
interface outside=20
3/31/2006 19:39 deny tcp (no connection) from =
/9112 to /25 flags ack =
on interface inside

Further examination of the Exchange Server smtp logs shows that the smtp =
conversation was not completing ...

199.246.2.14 - OutboundConnectionResponse [31/Mar/2006:19:38:45 -0500] =
"- -?220+mailgate1.kos.net SMTP" 0 21
199.246.2.14 - OutboundConnectionCommand [31/Mar/2006:19:38:45 -0500] =
"HELO -?exchange.OURDOMAIN SMTP" 0 4
199.246.2.14 - OutboundConnectionResponse [31/Mar/2006:19:38:45 -0500] =
"- -?250+mailgate1.kos.net SMTP" 0 21
199.246.2.14 - OutboundConnectionCommand [31/Mar/2006:19:38:45 -0500] =
"MAIL -?FROM: SMTP" 0 4
199.246.2.14 - OutboundConnectionResponse [31/Mar/2006:19:38:45 -0500] =
"- -?250+Ok SMTP" 0 6
199.246.2.14 - OutboundConnectionCommand [31/Mar/2006:19:38:45 -0500] =
"RCPT -?TO: SMTP" 0 4
199.246.2.14 - OutboundConnectionResponse [31/Mar/2006:19:38:45 -0500] =
"- -?250+Ok SMTP" 0 6
199.246.2.14 - OutboundConnectionCommand [31/Mar/2006:19:38:45 -0500] =
"DATA - SMTP" 0 4
199.246.2.14 - OutboundConnectionResponse [31/Mar/2006:19:38:45 -0500] =
"- -?354+End+data+with+. SMTP" 0 35

There should be more lines after this one to show that the email was =
sent successfully. They should look like this:

199.246.2.14 - OutboundConnectionResponse [03/Apr/2006:10:15:41 -0500] =
"- -?250+Ok:+queued+as+5071BD01049B SMTP" 0 30
199.246.2.14 - OutboundConnectionCommand [03/Apr/2006:10:15:41 -0500] =
"QUIT - SMTP" 0 4
199.246.2.14 - OutboundConnectionResponse [03/Apr/2006:10:15:41 -0500] =
"- -?221+Bye SMTP" 0 7

Does this mean anything to you? Is the reset-o significant? Or is it the =
inbound tcp connection denied that is the problem?

On Saturday I upgraded the firmware on our PIX 501 firewall to 6.3(5) =
and checked the configuration to be certain that the "Mailguard" feature =
was disabled. (no fixup protocol smtp 25) Still no improvement, so I =
replaced the PIX firewall by a Linksys router as a test, and email =
flowed perfectly! Then, I put the PIX back in place and went home. On =
Monday morning, mail was flowing perfectly through the PIX and is still =
fine today (Tuesday). So I'm not sure if the firmware upgrade solved the =
problem or if it was something else. Our ISP claims that they did not =
change anything over the weekend, but now the SMTP conversation =
completes properly and the firewall reports:

4/3/2006 10:15 built outbound tcp connection 2309 for =
outside:/25 (/25) to =
inside:/26715 (/2133)
4/3/2006 10:15 teardown tcp connection 2309 for =
outside:/25 to =
inside:/26715 duration 0:00:10 bytes 5212799 =
tcp fins

I would love to know for sure if the problem is really fixed, or will it =
come back? Is there something wrong with my PIX configuration? Do you =
have any ideas?

Thanks again for all your help.

cmatheson@loyalist-township.on.ca
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards