Wow - this was delayed. I have since found out that SMTP traffic goes from a high port > 25 and then from 25 > the same high port. My firewall is supposed to keep state - if it is I don't see why the packets are missed by that. Perhaps they are changing the high port they are sent back to? Is there anything in the RFCs that says a server *must* use the same return high port after having a client connect to it's port 25? Perhaps I should just block and ignore the traffic, but I wish I knew what they were. Even with them being blocked mail still goes out so it seems the firewall is keeping state properly, at least in most of the scanerios.
Matt Simonsen wrote: > I am seeing traffic regularly coming from remote servers' port 25 > destined to our servers' high ports, generally in the 1-3k range. Is > this normal? I plan to block it all, from what I understand SMTP goes > only from 25 to 25, but if that's the case I can't figure out what > this would be. > > According to our IPFilter logs the traffic generally has -AFP set, > please let me know off-line if a tidbit of info I could provide can > help you answer my question. > > Thanks > Matt Simonsen >
