1 Reply Latest reply on Nov 7, 2012 3:18 AM by PhilM

    Mail server Blackhole

    Arshad

      My Firewall blackholed my Internal Mailer Daemon and the audit log  shows following error. What does it mean and how I can solve it ? Urgent plz

       

       

       

      2012-11-07 10:51:03 +0500 f_mail_proxy a_proxy t_attack p_major

      pid: 2168 logid: 0 cmd: 'smtpp' hostname: mblfw02.meezanbank.com

      category: appdef_violation event: maximum invalid commands exceeded

      netsessid: e12195099f6c6 srcip: 172.30.1.160 srcport: 3646

      srczone: internal dst_local_port: 25 protocol: 6 src_local_port: 0

      dstip: 10.1.246.2 dstport: 25 dstzone: Ironmail attackip: 172.30.1.160

      attackzone: internal rule_name: Email- Internal-Ironmail

      reason: Connection terminated, the maximum allowable invalid commands in a session was exceeded.

      information:     Sabir Hussain <Sabir.Hussain@meezanbank.com>,

        • 1. Re: Mail server Blackhole
          PhilM

          From the nature of the audit message, it looks as though your internal mail server is doing something which the Firewall is not happy with and this is the reason why it is being blocked.

           

          I would suggest that you investigate why this is the case because it could be a sign that something odd is happening on your mail server and the Firewall is actually protecting you. With so many security solutions using reputation-based services (like the GTI service used by McAfee) if these transations are malicious in some way and you allow them to pass through you could find yourself being blocked by any number of external hosts who control what connections are allowed based on the reputation score.

           

          As the audit category is a "appdef_violation event", changing the assigned application defense may well stop the error from occurring - but if your mail server is doing something bad, then is will no longer be stopped.

           

          You haven't said which version of Firewall Enterprise you are running, but as the audit output suggests that your internal mail host is an Ironmail appliance, I would strongly suggest that you raise a ticket with McAfee support (probably with the Ironmail team) and they can speak to the Firewall guys to try and find out if it is a functional element within Ironmail which is causing this and suggest an appropriate work-around for you.

           

          -Phil.