And those are connections from the DC to the firewall (and not the reverse)? Something is misconfigured or you misunderstand how mail is supposed to flow. Is all the mail flowing outbound that is supposed to be?
...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 8:05 AM To: NT System Admin Issues Subject: RE: blacklists It's the Symantec Mail Security for SMTP. Now what? ________________________________ From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 9:54 AM To: NT System Admin Issues Subject: RE: blacklists It sounds like either something is misconfigured, your DC is infected or you don't correctly understand how mail is supposed to flow in your network. Get on your DC and run netstat -no and looks for connection to port 25 on your firewall. Then look up the PID in task manager to see what process on the DC is sending the mail. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 6:00 AM To: NT System Admin Issues Subject: RE: blacklists Everything is looking good this morning, as far as our email is concerned and so far still off the blacklists. In "host watch" of the Watchguard System Manager, I am getting numerous (hundreds/minute) outbound Filtered-SMTP "denies" from my DC (which is my mail gateway). I thought mail was just going thru there one-way (incoming). Mail in ->WG Firewall -> DC (Symantec Mail Security for SMTP) -> Exchange Server -> WG Firewall -> Mail out. Could there just be a misconfiguration on my DC? Paul ________________________________ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:52 PM To: NT System Admin Issues Subject: RE: blacklists They are proxy's. I have two defined. One called SMTP and it has the incoming set From: any, To: WG ip -> DC (mail gateway). The outgoing tab is disabled. The other proxy is called Filtered-SMTP. It's Incoming is Disabled and the Outgoing is set From: Any, To: Any. I change this From: Exchange ip, To: Any. I've never been able to figure logging on the WG. I can never find the logs and for email, I can't find where to set the address?? The WG interface seems so simple, but it really makes me feel like an idiot at times. Hope this is good enough damage control for tonight. I'll be back in the am to check things and do more investigating. Thanks for all the suggestions. Paul ________________________________ From: Dennis Hoefer [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:24 PM To: NT System Admin Issues Subject: RE: blacklists Open Policy Manager on the Watchguard 700, you will have either a proxy or filter policy for SMTP. On the "Outgoing" tab, set From: to the IP address of your mail server and To: to "all" The default rule is all to all, which will allow traffic from port 25 to pass from any machine on your network. By setting From: to only your mail server IP, you will block any internal machines that may be attempting to send SMTP traffic on their own. You can also set the rule to log denied traffic which will quickly identify internal machines that are attempting to use port 25. Configuration is a little different on the newer Watchguard boxes, but should be pretty straight forward on the 700. If the problem persists, then you're back to a relay problem or compromised mail server. Dennis ________________________________ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 4:54 PM To: NT System Admin Issues Subject: RE: blacklists "Set the mail server so that it only accepts mail from your exchange server" They are one and the same. My DC is actually my Mail Gateway between the WG and Exchange. "Block port 25 at the firewall for all but authorized systems (mail server)." Any idea how to do this on a Watchguard 700? Thanks ________________________________ From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:47 PM To: NT System Admin Issues Subject: RE: blacklists Sounds like you may have an infected client on your network that is sending outbound spam. Block port 25 at the firewall for all but authorized systems (mail server). Set the mail server so that it only accepts mail from your exchange server. That should get things cleared up enough so that you'll stay off the blacklists and give you some time to hunt for the guilty party. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said "no". My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 "Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org <blocked::http://www.leementalhealth.org/> to learn more." Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
