Here's the scenario: We have a mail server that needs to send out bulk emails to internal and external addresses. Sometimes, the mail server would need to send a lot of emails in one burst, so to speak, and I think ASA is blocking it.
The mail server is located in the DMZ switch which then plugs into one of the interface in ASA.
The destination mail server is located in our internal network which plugs into a CISCO switch then to Watchguard, then to our internal switch.
Symptom: On the mail server, mails going to our internal mail server (and out to the internet, but it is more noticeable on emails going in) got stuck in the postfix mail queue with the message "timed out while sending end of data -- message may be sent more than once". Those mails will be stuck in the queue for eternity, whilst other mails would get happily sent out. Here's the kicker: relaying the problematic emails through another mail server instead of directly to the internal mail server on the DMZ (then from that server to our internal server) works just fine.
I have done a lot of troubleshooting, and this is what I found:
Running wireshark on the spam port of the DMZ and the switch between ASA and Watchguard, the initial communication (syn-synack-ack, then ehlo, mailfrom, rcpt to:, data) went well.
Because of the size of the email, the mail was broken up into 2 parts. The first DATA part was sent, and acknowledged. The second part of the email, which includes the QUIT command was sent (I can see the packets on the wire using wireshark) but never made it through ASA (didn't see the packets on the switch between ASA and Watchguard).
One more thing, we also have ASA sent stuff to our CISCO MARS (which is in our internal network, not acting as IPS) log, and we got this on the the MARS box: "Client Exploit - Mass Emailing Worm". I figured that somehow either the amount of connections, bandwidth, or something, causes ASA to block those particular packets. Any help on how to turn on logging so I can at least start troubleshooting this?
Do you have any AIP-SSM module installed on the ASA? Have you turned on ESMTP inspection on the ASA? Can you bypass this specific traffic from the inspection Engine and see if that helps? Please post the output of "show run policy-map" and "show run service-policy" commands here so we can suggest configuation changes.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...