Hello Everybody:
Does someone use to Express CI Version? As you know Express CI has AV feature for SMTP, HTTP, and FTP protocol and it work with the security servers. Four week ago, I saw strange problem on the delivery mail. I can not send e-mail to certain domains, I was investigate these domain and I discovered they use a EXIM Mail Server (Free Linux Email Software). Normally I see two lines on the log: One line, the normal: Source: "MyInternalMail" Destination: "RemoteServer" Action: Accept Port:25 (Produced by Firewall) Second Line: Source: "MyInternalMail" Destination: "RemoteServer" Action: Accept Port:25 Info: Reason: Passed an Anti-Virus scan Produced by Anti-Virus produc) In this case I see on the log: One line, the normal: Source: "MyInternalMail" Destination: "RemoteServer" Action: Accept Port:25 (Produced by Firewall) Second Line: Source: "MyInternalMail" Destination: "RemoteServer" Action: DROP Port:25 Info: Reason: state=third char 220 opening message input=0x2D(Produced by Firewall)........ I review the knowledge base from Check Point and there is not any article about it. In the queue log from Mail server I see a message: connect to "RemoreServer" server dropped connection without sending the initial greeting. I make the TCPDUMP on the Firewall: TCPDUMP on External Interface (in this case work OK) 18:37:02.736420 MyFirewall.42594 > External.MailServer.OK.smtp: S 3587035605:3587035605(0) win 5840 <mss1460,nop,nop,sackOK,nop,wscale 0> (DF) 18:37:03.067166 External.MailServer.OK.smtp > My.External.MailServer.NAT.37871: S 2565770981:2565770981(0) ack 3587035606 win 17520 <mss 1460,nop,wscale 0,nop,nop,sackOK> (DF) 18:37:03.067211 MyFirewall.42594 > External.MailServer.OK.smtp: . ack 2565770982 win 5840 (DF) 18:37:03.271908 External.MailServer.OK.smtp > My.External.MailServer.NAT.37871: P 1:117(116) ack 1 win 17520 (DF) 18:37:03.271929 MyFirewall.42594 > External.MailServer.OK.smtp: . ack 117 win 5840 (DF) 18:38:34.906529 MyFirewall.42594 > External.MailServer.OK.smtp: P 0:12(12) ack 117 win 5840 (DF) 18:38:35.548498 External.MailServer.OK.smtp > My.External.MailServer.NAT.37871: P 117:159(42) ack 13 win 17508 (DF) 18:38:35.548523 MyFirewall.42594 > External.MailServer.OK.smtp: . ack 159 win 5840 (DF) 18:38:54.835749 MyFirewall.42594 > External.MailServer.OK.smtp: P 12:18(6) ack 159 win 5840 (DF) 18:38:55.269176 External.MailServer.OK.smtp > My.External.MailServer.NAT.37871: P 159:216(57) ack 19 win 17502 (DF) 18:38:55.269210 MyFirewall.42594 > External.MailServer.OK.smtp: . ack 216 win 5840 (DF) 18:38:55.271050 External.MailServer.OK.smtp > My.External.MailServer.NAT.37871: F 216:216(0) ack 19 win 17502 (DF) 18:38:55.271112 MyFirewall.42594 > External.MailServer.OK.smtp: F 18:18(0) ack 217 win 5840 (DF) 18:38:55.657051 External.MailServer.OK.smtp > My.External.MailServer.NAT.37871: . ack 20 win 17502 (DF) TCPDUMP on Internal Interface (in this case work OK) 18:37:02.735630 MyPostFix.Interno.37871 > External.MailServer.OK.smtp: S 4001539210:4001539210(0) win 5840 <mss 1460,sackOK,timestamp 1999371166 0,nop,wscale 0> (DF) [tos 0x10] 18:37:02.736044 MyPostFix.Interno.37871 > External.MailServer.OK.smtp: . ack 3586593848 win 5840 (DF) [tos 0x10] 18:37:03.272198 MyPostFix.Interno.37871 > External.MailServer.OK.smtp: . ack 117 win 5840 (DF) [tos 0x10] 18:38:34.906452 MyPostFix.Interno.37871 > External.MailServer.OK.smtp: P 0:12(12) ack 117 win 5840 (DF) [tos 0x10] 18:38:35.548788 MyPostFix.Interno.37871 > External.MailServer.OK.smtp: . ack 159 win 5840 (DF) [tos 0x10] 18:38:54.835621 MyPostFix.Interno.37871 > External.MailServer.OK.smtp: P 12:18(6) ack 159 win 5840 (DF) [tos 0x10] 18:38:55.269466 MyPostFix.Interno.37871 > External.MailServer.OK.smtp: . ack 216 win 5840 (DF) [tos 0x10] 18:38:55.271464 MyPostFix.Interno.37871 > External.MailServer.OK.smtp: F 18:18(0) ack 217 win 5840 (DF) [tos 0x10] [EMAIL PROTECTED] root]# telnet External.MailServer.OK 25 Trying External.MailServer.OK... Connected to 216.244.172.132. Escape character is '^]'. 220 External.MailServer.OK ready at Fri, 07 Oct 2005 08:27:27 -0500 quit 221 External.MailServer.OK closing connection. Goodbye! Connection closed by foreign host. In this case I put quit for close the session. TCPDUMP on External Interface (in this case work FAIL) 18:44:30.481846 MyFirewall.42615 > External.MailServer.Error.smtp: S 4051669354:4051669354(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0> (DF) 18:44:31.555284 External.MailServer.Error.smtp > My.External.MailServer.NAT.37906: S 2414261223:2414261223(0) ack 4051669355 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2> (DF) 18:44:31.555331 MyFirewall.42615 > External.MailServer.Error.smtp: . ack 2414261224 win 5840 (DF) 18:44:32.364013 External.MailServer.Error.59531 > My.External.MailServer.NAT.auth: S 2408874291:2408874291(0) win 5840 <mss 1460,sackOK,timestamp 2306784568 0,nop,wscale 2> (DF) 18:44:34.214072 External.MailServer.Error.smtp > My.External.MailServer.NAT.37906: P 1:183(182) ack 1 win 1460 (DF) 18:44:34.214090 MyFirewall.42615 > External.MailServer.Error.smtp: . ack 183 win 5840 (DF) 18:44:34.214509 MyFirewall.42615 > External.MailServer.Error.smtp: F 0:0(0) ack 183 win 5840 (DF) 18:44:34.978205 External.MailServer.Error.smtp > My.External.MailServer.NAT.37906: P 183:235(52) ack 2 win 1460 (DF) 18:44:34.978226 MyFirewall.42615 > External.MailServer.Error.smtp: R 4051669356:4051669356(0) win 0 (DF) 18:44:34.980079 External.MailServer.Error.smtp > My.External.MailServer.NAT.37906: F 235:235(0) ack 2 win 1460 (DF) 18:44:34.980097 MyFirewall.42615 > External.MailServer.Error.smtp: R 4051669356:4051669356(0) win 0 (DF) TCPDUMP on Internal Interface (in this case work FAIL) 18:44:30.480228 MyPostFix.Interno.37906 > External.MailServer.Error.smtp: S 173644897:173644897(0) win 5840 <mss 1460,sackOK,timestamp 1999818994 0,nop,wscale 0> (DF) [tos 0x10] 18:44:30.480516 MyPostFix.Interno.37906 > External.MailServer.Error.smtp: . ack 4044969751 win 5840 (DF) [tos 0x10] 18:44:34.215235 MyPostFix.Interno.37906 > External.MailServer.Error.smtp: F 0:0(0) ack 2 win 5840 (DF) [tos 0x10] [root]# telnet External.MailServer.Error 25 Trying External.MailServer.Error... Connected to External.MailServer.Error. Escape character is '^]'. Connection closed by foreign host. In this case the session closed automatically The internal mail server is a PostFix Mail Server, at the beginning I think this was a problem between the PostFix and EXIM servers, but I check off the mark for Anti-Virus on the Firewall Object properties: Normally is: (OK) Firewall (OK) VPN (OK) AntiVirus For test: (OK) Firewall (OK) VPN ( ) AntiVirus And probe the telnet on port 25: (in both cases work OK) [root]# telnet External.MailServer.Error 25 Trying External.MailServer.Error... Connected to External.MailServer.Error. Escape character is '^]'. 220- External.MailServer.Error ESMTP Exim 4.52 #1 Fri, 07 Oct 2005 09:43:21 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. quit 221 External.MailServer.Error closing connection Connection closed by foreign host. [root]# telnet External.MailServer.OK 25 Trying External.MailServer.OK... Connected to External.MailServer.OK. Escape character is '^]'. 220 External.MailServer.OK ready at Fri, 07 Oct 2005 08:43:38 -0500 quit 221 External.MailServer.OK closing connection. Goodbye! Connection closed by foreign host. The conclusion: The problem is the smtpd from the Firewall!!!!!!!!!!!!!! But I dont know How solve this? I hope you can help me. Best regards. Oscar ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
