Re: Weird SMTP issue

[Devdas Bhagat <devdas () dvb homelinux org>]

On 15/09/04 00:51 -0700, Philip J. Koenig wrote:
> Have been having a weird issue with SMTP traffic someone might have 
> some suggestions about.
>
> Recently installed an SMTP MTA as an antispam box, running Linux and 
> Brightmail anti-spam software.  It is configured as the primary MX 
> for the domains it handles, and forwards all legit messages to one of 
> 2 final destination MTAs.  It also sits behind a Netscreen 25 
> firewall. (401_xx firmware) 


        mailbox-|
                |----- MX ------ Netscreen ------ Internet
        mailbox-|

> The Netscreen is configured to allow all outgoing traffic from the 
> Brightmail box and block incoming traffic by default.  SMTP incoming 
> traffic to the Brightmail box is allowed.
>
> When the Brightmail system was put in service and configured to 
> forward certain spam messages to a particular email account, I 
> started getting constant Netscreen messages warning of "Port Scans" 
> originating from the destination MTA back to the Brightmail box.  
> Inevitably these "Port Scans" originate on port 25 on the destination 
> MTA and the are sent to a high-numbered port on the Brightmail box.

Do you have packet traces? Do the alert generating packets show SYN bits
set without the ACK set?

<snip>
> Anyone have any ideas on where to look or how best to troubleshoot 
> this?

tcpdump is your friend.

Can you have Brightmail forward the messages to an account behind the
netscreen? Is brightmail trying to connect to the external MTA to verify
the SMTP envelop sender?

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards