Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SMTP Server - A simple question...
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SMTP Server - A simple question... - 5.Aug.2008 10:29:45 AM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
We have incoming SMTP published for Exchange Server 2003 by ISA 2006. All appears to be working fine.
However, the SMTP Server rule regularly logs FWX_E_ABORTIVE_SHUTDOWN (or FWX_E_CONNECTION_KILLED with the SMTP filter enabled) and often follows this with FWX_E_TCP_NOT_SYN_PACKET_DROPPED.
Are these just spam connections being killed / aborted or is something wrong?
Do you get them on your server?
Thanks,
Jon
|
|
|
|
|
RE: SMTP Server - A simple question... - 7.Aug.2008 12:43:29 PM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
Well, after an afternoon sniffing packets I think I can answer my own question, and I hope it will be of help to someone.
It is normal to see inbound SMTP connections killed / aborted and SMTP packets dropped. It is not related to the email being spam as far as I can tell.
This does beg the question why aren’t there people out there ready to admit this / explain it, as if I’m right everyone must see it.
This is what I reckon is going on. If I’m wrong please let me know:
The SMTP Filter monitors the SMTP session (as well as repacking some of the packets) and kills the session as soon as it’s over. This is why you always get FWX_E_ABORTIVE_SHUTDOWN with the SMTP Filter enabled.
With the SMTP Filter disabled the session is terminated when the sending server sends an SMTP [RST, ACK] packet causing FWX_E_ABORTIVE_SHUTDOWN to be logged. If no SMTP [RST, ACK] packet is sent then the session times out after a while reporting FWX_E_GRACEFUL_SHUTDOWN.
Now, it appears that some servers send two or even more SMTP [RST, ACK] packets at the end of the session. Because the session is terminated after the first one (whether or not the SMTP filter is enabled) any subsequent SMTP [RST, ACK] packets are outside the session and are denied by the default rule causing FWX_E_TCP_NOT_SYN_PACKET_DROPPED to be logged. The email gets through of course as the session terminated successfully.
It is worth noting however that packets can also be dropped with FWX_E_TCP_NOT_SYN_PACKET_DROPPED when the session has been aborted for another reason (such as the SMTP Filter detecting a NOOP length violation http://support.microsoft.com/?kbid=312213) in which case the email is blocked.
|
|
|
|
|
RE: SMTP Server - A simple question... - 7.Aug.2008 4:27:38 PM
|
|
|
Jason Jones
Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Your analysis looks pretty good to me.
I had not spotted your question as I would have tried to imply a lot of it was default behaviour quicker...
When things go wrong a lot of people see the "FWX_E_TCP_NOT_SYN_PACKET_DROPPED" error and assume things are broken, but this is just the firewalls way of spotting a connection that is already part way through the three way handshake, and forcing the source host to start another session with a new ACK as it has already marked the previous connection as killed. This is not always the case, but it is most of time...
Cheers
JJ
< Message edited by Jason Jones -- 7.Aug.2008 4:29:02 PM >
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: SMTP Server - A simple question... - 8.Aug.2008 4:29:00 AM
|
|
|
jlt70
Posts: 16
Joined: 27.May2008
Status: offline
|
Thanks Jason for the confirmation. At least I got to find my way round Wireshark.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
