|
Email from my linux server is being dropped by my firewall as IP spoof
I hope somebody can help me with this. I have a Redhat server on a T1 connection. I have the rest of our network on a Cable connection. When I send mail from the Redhat server to say a yahoo.com email address it goes through. When I send email to our company exchange server on the cable connection it nevers comes in. I tracked it back to our firewall dropping the connection with the following error. "Alert - Intrusion Prevention - IP spoof dropped". If I dig the redhat server from another machine everything resolves with the correct DNS record and IP address. Any ideas why a firewall would see an email as spoofing other than actually trying to spoof it.
Thanks, Mike |
@ Reply
Hi mtn356,
So you have got a Red Hat email server and an exchange email server. When you send email from your Red Hat server to yahoo.com it goes fine. However, when you send email to your exchange server it gets drop at your firewall. Am I getting it correct? If yes, then did you check on the firewall if your Red Hat server's IP is not explicitly in the deny list? Is your Red Hat server able to telnet your exchange server on port 25? Another thing you could try is sending an email to hotmail.com id from your Red Hat server because hotmail performs a reverse lookup for the source IP of the email. If that is going through then it is an issue with your firewall. If it is not going through then we need to check mail exchange that you have configured for Red Hat mail server. |
Yes you have it correct. The redhat server is not in the deny list. But as soon as I try to telnet it pops right up in the firewall log again with the following " 01/17/2012 15:46:41.016 Alert Intrusion Prevention IP spoof dropped "
So I went and setup a hotmail email and sent a test and it went right through. It went into the junk folder but it did go right through. It was just a generic message that just said "test". I guess that is maybe why it got junked or maybe something to do with the reverse lookup. |
@ Reply
If it was rejected by hotmail server then you should have got a denied message with status 554. But as it went through though in junk it should be fine. The email that you have received in junk folder on hotmail. Change the setting to not junk and resend another email with some other text and see if you get that in your inbox on your hotmail account. If yes, then mx part appears to be ok and we need look into the issue from firewall perspective.
|
Well after two days I just solved it. I guess this post was about 15 minutes premature. I am not sure why it works this way but let me explain part of our setup here.
The T1 comes into a modem then into a 5 port switch. From there 2 ports go to our redhat server each with a static IP address configured. We have a large static block from the T1 provider. Now 1 more port goes from that switch and into the Firewall where the Cable line comes in to work as a fail over backup. That firewall is also a load balancer so it has two wan ports. I unplugged the ethernet cable from the switch to the backup port on the firewall and now evrything works. For whatever reason it must be trying to send the traffic directly accross that line instead of out over the T1 line then back in the cable line. My guess would be it just sees the other incoming line configured on the other side of that router and sends it accross. And that seems logical since it would be faster although I have no idea why that then makes it look like IP spoofing. I should have tried that in the beginning. Your help is greatly appreciated. Thank You, Mike |
| All times are GMT -5. The time now is 10:04 PM. |