Hi all, hoping someone can help with this. Basically we are sending and receiving mail from google, yahoo, comcast, etc and seeing the firewall randomly block both connections in and out of our server to these domains for no apparent reason. Here is a snippet of a log from today, these are all google mail servers. They seem to randomly get blocked and then removed. I finally started adding these to csf.allow and now they all pass, but this becomes impractical as we have lots of mail running through here. Is there some kind of rate limiting going on? Protocol errors? Can someone give me some pointers on where to start?
Note, we are a standard qmail/plesk installation. We are not doing any Connection Tracking or using any SMTP Blocking.
Aug 10 07:33:59 ss1 xinetd[16521]: START: smtp pid=1144 from=::ffff:74.125.82.52
Aug 10 07:39:01 ss1 xinetd[16521]: START: smtp pid=2883 from=::ffff:74.125.82.44
Aug 10 08:39:56 ss1 xinetd[20576]: START: smtp pid=24413 from=::ffff:74.125.82.41
Aug 10 09:02:02 ss1 xinetd[1033]: START: smtp pid=2310 from=::ffff:74.125.82.50
Aug 10 09:02:05 ss1 kernel: Firewall: *TCP_IN Blocked* IN=bond0 OUT= MAC=00:25:90:7c:08:23:ec:3e:f7:3a:47:f0:08:00 SRC=74.125.82.50 DST=xxxxxxxx LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=9731 PROTO=TCP SPT=37961 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
Aug 10 09:09:28 ss1 xinetd[1033]: START: smtp pid=5412 from=::ffff:74.125.82.44
Aug 10 09:11:28 ss1 xinetd[1033]: START: smtp pid=6298 from=::ffff:74.125.82.50
Aug 10 09:11:28 ss1 xinetd[1033]: START: smtp pid=6300 from=::ffff:74.125.82.41
Aug 10 09:16:44 ss1 xinetd[1033]: START: smtp pid=9982 from=::ffff:74.125.82.42
Aug 10 09:16:48 ss1 kernel: Firewall: *TCP_IN Blocked* IN=bond0 OUT= MAC=00:25:90:7c:08:23:ec:3e:f7:3a:47:f0:08:00 SRC=74.125.82.42 DST=xxxxxxx LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=3447 PROTO=TCP SPT=36588 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
Aug 10 09:16:48 ss1 kernel: Firewall: *TCP_IN Blocked* IN=bond0 OUT= MAC=00:25:90:7c:08:23:ec:3e:f7:3a:47:f0:08:00 SRC=74.125.82.42 DST=xxxxxx LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=3448 PROTO=TCP SPT=36588 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
Aug 10 09:27:19 ss1 xinetd[1033]: START: smtp pid=13753 from=::ffff:74.125.82.42
Aug 10 10:21:27 ss1 xinetd[31590]: START: smtp pid=8335 from=::ffff:74.125.82.47
Aug 10 10:21:30 ss1 kernel: Firewall: *TCP_IN Blocked* IN=bond0 OUT= MAC=00:25:90:7c:08:23:ec:3e:f7:3a:47:f0:08:00 SRC=74.125.82.47 DST=xxxxxx LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=43966 PROTO=TCP SPT=38460 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
Aug 10 10:21:30 ss1 kernel: Firewall: *TCP_IN Blocked* IN=bond0 OUT= MAC=00:25:90:7c:08:23:ec:3e:f7:3a:47:f0:08:00 SRC=74.125.82.47 DST=xxxxxx LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=43967 PROTO=TCP SPT=38460 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
Aug 10 10:28:19 ss1 xinetd[31590]: START: smtp pid=10968 from=::ffff:74.125.82.48
Aug 10 10:28:22 ss1 kernel: Firewall: *TCP_IN Blocked* IN=bond0 OUT= MAC=00:25:90:7c:08:23:ec:3e:f7:3a:47:f0:08:00 SRC=74.125.82.48 DST=xxxxxxx LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=1419 PROTO=TCP SPT=36087 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
Aug 10 10:28:22 ss1 kernel: Firewall: *TCP_IN Blocked* IN=bond0 OUT= MAC=00:25:90:7c:08:23:ec:3e:f7:3a:47:f0:08:00 SRC=74.125.82.48 DST=xxxxxxxx LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=1420 PROTO=TCP SPT=36087 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
Aug 10 10:34:54 ss1 xinetd[31590]: START: smtp pid=14757 from=::ffff:74.125.82.68
Random SMTP Blocks of Well Known Providers
Re: Random SMTP Blocks of Well Known Providers
So I managed to at least over come this by allowing:
tcp|in|dpt=25|d=mymailserverip
Isn't that supposed to be what TCP_IN and TCP_OUT do already????
I do have a whole set of IPs that should be blocked from sending in anything, lets see if this breaks that or not.
tcp|in|dpt=25|d=mymailserverip
Isn't that supposed to be what TCP_IN and TCP_OUT do already????
I do have a whole set of IPs that should be blocked from sending in anything, lets see if this breaks that or not.
Re: Random SMTP Blocks of Well Known Providers
Did alot more testing on this and the issue is that CSF is just deciding to randomly block stuff, it doesn't matter if the provider is a spammer or google. Rather than risk any more dropped mail, I just allowed through 25 and 465 to my mail servers in the csf.allow file.
I am suspecting this might be a load issue, as our other servers, under much less load, but otherwise identical experience the issue once or twice a day but not to the degree this one was.
so here is what I have in my csf.allow looks like.
tcp|in|dpt=25|d=mymailserverip
tcp|out|dpt=25|s=mymailserverip
tcp|in|dpt=465|d=mymailserverip
tcp|out|dpt=465|s=mymailserverip
The only real downside here is that I have to block lots of the total crap spam in the spam filter, rather than on the edge, but I will take that simply to insure my clients get their e-mail.
I am suspecting this might be a load issue, as our other servers, under much less load, but otherwise identical experience the issue once or twice a day but not to the degree this one was.
so here is what I have in my csf.allow looks like.
tcp|in|dpt=25|d=mymailserverip
tcp|out|dpt=25|s=mymailserverip
tcp|in|dpt=465|d=mymailserverip
tcp|out|dpt=465|s=mymailserverip
The only real downside here is that I have to block lots of the total crap spam in the spam filter, rather than on the edge, but I will take that simply to insure my clients get their e-mail.