Hi guys Not sure where this falls under.
Here's the scenario: We have a mail server that needs to send out bulk emails to internal and external addresses. Sometimes, the mail server would need to send a lot of emails in one burst, so to speak, and I think ASA is blocking it.
The mail server is located in the DMZ switch which then plugs into one of the interface in ASA.
The destination mail server is located in our internal network which plugs into a CISCO switch then to Watchguard, then to our internal switch.
Symptom: On the mail server, mails going to our internal mail server (and out to the internet, but it is more noticeable on emails going in) got stuck in the postfix mail queue with the message "timed out while sending end of data -- message may be sent more than once". Those mails will be stuck in the queue for eternity, whilst other mails would get happily sent out. Here's the kicker: relaying the problematic emails through another mail server instead of directly to the internal mail server on the DMZ (then from that server to our internal server) works just fine.
I have done a lot of troubleshooting, and this is what I found:
Running wireshark on the spam port of the DMZ and the switch between ASA and Watchguard, the initial communication (syn-synack-ack, then ehlo, mailfrom, rcpt to:, data) went well.
Because of the size of the email, the mail was broken up into 2 parts. The first DATA part was sent, and acknowledged. The second part of the email, which includes the QUIT command was sent (I can see the packets on the wire using wireshark) but never made it through ASA (didn't see the packets on the switch between ASA and Watchguard).
One more thing, we also have ASA sent stuff to our CISCO MARS (which is in our internal network, not acting as IPS) log, and we got this on the the MARS box: "Client Exploit - Mass Emailing Worm". I figured that somehow either the amount of connections, bandwidth, or something, causes ASA to block those particular packets. Any help on how to turn on logging so I can at least start troubleshooting this?
*EDIT for formatting