I am not technical enough, but could this also be a possible problem caused or helped by the PIX SMTP Fixup command?
I have heard bad things about that interfering with ACK. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:WhatsUp_Forum- > [EMAIL PROTECTED] On Behalf Of Moti Landes > Sent: Thursday, July 31, 2003 3:13 PM > To: WhatsUp_Forum (E-mail) > Subject: [WhatsUp Forum] SMTP from WUG > > here is somthing interesting. > if anybody has come across with a similar case, please update. > thanks > > > -----Original Message----- > > From: Moti Landes > > Sent: Thursday, July 31, 2003 11:20 PM > > To: '[EMAIL PROTECTED]' > > > > hi again, > > i have finaly figured out what is going on with the SMTP issue of mine. > > just to remind you i am using a mail server that is behind a FW (cisco > > pix), port 25 is open. > > sending an email via WUG fails, and with simple telnet commands goes ok. > > here is the problem, and this needs to be fixed in the WUG application. > > > > i have recorded with a sniffer a typical notofication test from wug, i > > will prove that you are doing something wrong in the product, that needs > > to be addressed. > > > > i will comment by each frame to make it easier to understand. > > (it would help if you open the email on full-screen so each frame will > > consume one full line) > > > > No. Time Source Destination Protocol > > Info > > 1 0.000000 128.139.197.90 212.150.53.157 TCP > > 3331 > smtp [SYN] Seq=2248052841 Ack=3201267381 Win=65535 Len=0 > > > > >>>here the test starts, wug is attemting to open port 25 on the mail > > server > > > > 2 0.000079 212.150.53.157 128.139.197.90 TCP > > smtp > 3331 [SYN, ACK] Seq=1588681321 Ack=2248052842 Win=64240 Len=0 > > > > >>>server answering with ACK > > > > 3 0.004806 128.139.197.90 212.150.53.157 TCP > > 3331 > smtp [ACK] Seq=2248052842 Ack=1588681322 Win=65535 Len=0 > > > > >>>as the protocol defines an ACK is sent in response to the SYN ACK > > > > 4 0.005505 212.150.53.157 128.139.197.90 SMTP > > Response: 220 trafficmon.barak.net.il ESMTP Server Thu, 31 Jul 2003 > > 15:03:44 > > > > >>>once sent, the mail server respondes with the 220 response code. > > > > 5 0.009702 128.139.197.90 212.150.53.157 SMTP > > Command: HELO wug.iucc.ac.il > > > > >>>HERE THE PROBLEM STARTS !!! > > WUG apparently sends the HELO command w/o sending an ACK to the > response > > 220 as defined in the protocol. > > the HELO command goes through and then the server answeres as follows. > > > > 6 0.009800 212.150.53.157 128.139.197.90 SMTP > > Response: 250 trafficmon.barak.net.il greetings, wug.iucc.ac.il > > > > >>>the server is responding to the HELO command. > > >>>WUG is not responding with ACK, as he didnt in respond to the 220 > > response code. > > > > 7 2.416946 212.150.53.157 128.139.197.90 SMTP > > Response: 250 trafficmon.barak.net.il greetings, wug.iucc.ac.il > > > > >>>2.4 seconds go by, the server loses his patients since he has not > > recieved an ACK to the 250 response code, and sends > > it again. > > > > 8 2.424284 128.139.197.90 212.150.53.157 TCP > > 3331 > smtp [ACK] Seq=2248052897 Ack=1588681445 Win=65412 Len=0 > > > > >>>ACK from WUG arrives. > > at this point the PIX understand that this is a SYN attack (something is > > not right) he closes the thread for security reasons. > > by the way, after reviewing the debug log on the wug server, i find that > > WUG hears the response code 250 and attemts to send > > the SMTP command MAIL FROM:, but like i said at this point the thread is > > down already. > > > > 9 29.996634 212.150.53.157 128.139.197.90 TCP > > smtp > 3331 [FIN, ACK] Seq=1588681445 Ack=2248052863 Win=64219 Len=0 > > > > >>>after a timeout, the server takes the connection down. > > > > 10 30.000396 128.139.197.90 212.150.53.157 TCP > > 3331 > smtp [ACK] Seq=2248052897 Ack=1588681446 Win=65412 Len=0 > > > > >>>WUG responds to that with an ACK > > > > THIS is why the mails are not going through. > > NOW to compare this to a good session i have recorded the same command > > from a telnet session. > > look how it is SUPOSED to work, this is differant to what WUG is doing. > > > > No. Time Source Destination Protocol > > Info > > 1 0.000000 128.139.197.90 212.150.53.157 TCP > > 3561 > smtp [SYN] Seq=2498078836 Ack=3214579608 Win=65535 Len=0 > > 2 0.000080 212.150.53.157 128.139.197.90 TCP > > smtp > 3561 [SYN, ACK] Seq=2042140175 Ack=2498078837 Win=64240 Len=0 > > 3 0.004141 128.139.197.90 212.150.53.157 TCP > > 3561 > smtp [ACK] Seq=2498078837 Ack=2042140176 Win=65535 Len=0 > > 4 0.004841 212.150.53.157 128.139.197.90 SMTP > > Response: 220 trafficmon.barak.net.il ESMTP Server Thu, 31 Jul 2003 > > 15:19:27 > > 5 0.203187 128.139.197.90 212.150.53.157 TCP > > 3561 > smtp [ACK] Seq=2498078837 Ack=2042140244 Win=65467 Len=0 > > > > >>>look here when doing this on a telnet session there is an ACK to the > > 220 response code > > > > 6 14.934140 128.139.197.90 212.150.53.157 SMTP > > Command: HELO wug.iucc.ac.il > > 7 14.934355 212.150.53.157 128.139.197.90 SMTP > > Response: 250 trafficmon.barak.net.il greetings, wug.iucc.ac.il > > 8 15.089938 128.139.197.90 212.150.53.157 TCP > > 3561 > smtp [ACK] Seq=2498078858 Ack=2042140299 Win=65412 Len=0 > > > > >>>look here when doing this on a telnet session there is an ACK to the > > 250 response code > > > > 9 36.780857 128.139.197.90 212.150.53.157 SMTP > > Command: MAIL FROM:[EMAIL PROTECTED] > > 10 36.782118 212.150.53.157 128.139.197.90 SMTP > > Response: 250 sender is [EMAIL PROTECTED], sender ok > > 11 36.917938 128.139.197.90 212.150.53.157 TCP > > 3561 > smtp [ACK] Seq=2498078892 Ack=2042140348 Win=65363 Len=0 > > 12 57.339365 128.139.197.90 212.150.53.157 SMTP > > Command: RCPT TO:[EMAIL PROTECTED] > > 13 57.339761 212.150.53.157 128.139.197.90 SMTP > > Response: 250 recipient is [EMAIL PROTECTED], recipient ok > > 14 57.538206 128.139.197.90 212.150.53.157 TCP > > 3561 > smtp [ACK] Seq=2498078925 Ack=2042140404 Win=65307 Len=0 > > 15 61.053573 128.139.197.90 212.150.53.157 SMTP > > Command: DATA > > 16 61.259526 212.150.53.157 128.139.197.90 TCP > > smtp > 3561 [ACK] Seq=2042140404 Ack=2498078931 Win=64146 Len=0 > > 17 61.378197 212.150.53.157 128.139.197.90 SMTP > > Response: 354 OK End with <CRLF>.<CRLF> > > 18 61.561999 128.139.197.90 212.150.53.157 TCP > > 3561 > smtp [ACK] Seq=2498078931 Ack=2042140435 Win=65276 Len=0 > > 19 68.120681 128.139.197.90 212.150.53.157 SMTP > > Message Body > > 20 68.259899 212.150.53.157 128.139.197.90 TCP > > smtp > 3561 [ACK] Seq=2042140435 Ack=2498078944 Win=64133 Len=0 > > 21 71.439263 128.139.197.90 212.150.53.157 SMTP > > EOM: . > > 22 71.441724 212.150.53.157 128.139.197.90 SMTP > > Response: 250 Message accepted for delivery > > 23 71.620628 128.139.197.90 212.150.53.157 TCP > > 3561 > smtp [ACK] Seq=2498078947 Ack=2042140470 Win=65241 Len=0 > > > > hope you resolve this ASAP. > > > > thanks > > -- > > Greetings, > > > > Moti Landes > > Network Management & Corporate Computing > > Technology Division > > Barak 013 Israel > > > > Email: [EMAIL PROTECTED] > > WEB Page: http://www.barak013.net.il > > GSM Phone: +972 54 841108 > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/
