Pfsense keeps on deferring outgoing mails - AUTH 113

joyfulway

Hi,

We are unable to send mail to the outside, with the following error displayed on our mailserver:

SMTP incoming data timeout - closing connection. (in reply to end of DATA command))

I noticed the traffic to AUTH port 113 was blocked by pfsense:
pf: 36. 903441 rule 69/0(match): block in on ng0: (tos 0x0, ttl 62, id 31880, offset 0, flags [DF], proto TCP (6), length 60) 196.XX.YY.ZZ.36075 > 196.XX.YY.ZZ.113: S, cksum 0x4c12 (correct), 1814983136:1814983136(0) win 5840 <mss 7="" 536866232="" 1452,sackok,timestamp="" 0,nop,wscale="">I created a port forward rule to a non-existent LAN address to pass 113 traffic, but the problem remains the same.

The problem is specifically coming from pfsense (running on Soekris net5501) as the problem doesn't occur when we are using a basic linksys router or connect our mailserver directly to our WAN link.

Any idea on what is going on ?

Thanks

Pfsense: 1.2.3-RC1 (which I'm currently upgrading to rerun the test)</mss>

danswartz

you could install the widentd package or (what i do), add an explicit rule for TCP port 113, but have it do a reject rather than a block - this will let the other side know to skip the ident/auth stuff…

joyfulway

Thanks danswartz,

After running some tests, I occurs that the issue doesn't come from any AUT 114 blocked traffic. Rejecting or port forwarding 113 traffic doesn't change anything: The 113 traffic is properly passed when adding the rule but still, outgoing mail are not sent, with the same "SMTP incoming data timeout - closing connection. (in reply to end of DATA command)" on my mailserver.

It looks like pfsense doesn't accept anything returning from the ISP smtp server.
The connection is provided by PPPoE, and pfsense might not like it.

-tcpdump clearly shows dialogue with the smtp server till one point where no reply from pfsense is sent back to smtp.

Is there any log files to be checked in pfsense ?
Is there any specific security features to be activated when running a PPPoE connection ?

P.S Problem remains the same when upgrading to 1.2.3-RC3

danswartz

port forwarding tcp/113 to a bogus address is as bad as blocking it - the remote smtp server is using auth to check who you are.  rejecting it fixes that.  it is hard to comment beyond that unless you provide a trace.

joyfulway

Thanks Dan.

Here are some logs if that might help:

1.Before any REJECT on AUTH113, traffic is blocked
pf: 36. 903441 rule 69/0(match): block in on ng0: (tos 0x0, ttl 62, id 31880, offset 0, flags [DF], proto TCP (6), length 60) 196.46.112.4.36075 > 196.46.115.161.113: S, cksum 0x4c12 (correct), 1814983136:1814983136(0) win 5840 <mss 7="" 536866232="" 1452,sackok,timestamp="" 0,nop,wscale="">2.After the reject rule, traffic is passed (see attached file auth113_passon)

3.Mailserver error logs remain the same:
421 smtp0.kino.cd.ibcore.net SMTP incoming data timeout - closing connection
Nov 24 11:03:31 mailserver postfix/smtp[32272]: 773D22D48003:
relay=smtp.iburstrdc.com[196.46.112.4]:25, delay=305, delays=0.01/0.01/5.4/300, dsn=4.0.0, status=deferred (host smtp.iburstrdc.com[196.46.112.4] said: 421 smtp0.kino.cd.ibcore.net SMTP incoming data timeout - closing connection. (in reply to end of DATA command))

4.tcpdump. Dialogue is up until the mail is sent, and then is up again.
14:39:51.153073 IP smtp0.kino.cd.ibcore.net.smtp > 10.30.1.17.43273: P 79:209(130) ack 40 win 46 <nop,nop,timestamp 275897837="" 543897718="">14:39:51.153233 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: P 40:167(127) ack 209 win 1460 <nop,nop,timestamp 275897887="" 543897718="">14:39:51.203004 IP smtp0.kino.cd.ibcore.net.smtp > 10.30.1.17.43273: P 209:301(92) ack 167 win 46 <nop,nop,timestamp 275897887="" 543897723="">14:39:51.203294 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 275897937="" 543897723="">14:39:51.203410 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: P 1607:2379(772) ack 301 win 1460 <nop,nop,timestamp 275897937="" 543897723="">14:39:51.387833 IP smtp0.kino.cd.ibcore.net.smtp > 10.30.1.17.43273: . ack 167 win 46 <nop,nop,timestamp 1="" 543897732="" 275897887,nop,nop,sack="" {1607:2379}="">14:39:51.440468 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 275898175="" 543897732="">14:39:51.916207 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 275898651="" 543897732="">14:39:52.867685 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 275899603="" 543897732="">14:39:54.770641 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 275901507="" 543897732="">14:39:58.576553 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 275905315="" 543897732="">14:40:06.188368 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 275912931="" 543897732="">14:40:21.412006 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 275928163="" 543897732="">14:40:51.874756 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 275958627="" 543897732="">14:41:52.800743 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 276019556="" 543897732="">14:43:52.794883 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: . 167:1607(1440) ack 301 win 1460 <nop,nop,timestamp 276139556="" 543897732="">14:44:51.219505 IP smtp0.kino.cd.ibcore.net.smtp > 10.30.1.17.43273: P 301:380(79) ack 167 win 46 <nop,nop,timestamp 1="" 543927723="" 275897887,nop,nop,sack="" {1607:2379}="">14:44:51.219581 IP smtp0.kino.cd.ibcore.net.smtp > 10.30.1.17.43273: F 380:380(0) ack 167 win 46 <nop,nop,timestamp 1="" 543927723="" 275897887,nop,nop,sack="" {1607:2379}="">14:44:51.231378 IP 10.30.1.17.43273 > smtp0.kino.cd.ibcore.net.smtp: F 2379:2379(0) ack 381 win 1460 <nop,nop,timestamp 276197995="" 543927723="">14:44:51.264320 IP smtp0.kino.cd.ibcore.net.smtp > 10.30.1.17.43273: R 591339845:591339845(0) win 0

Thanks again for your input.

</nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></mss>

danswartz

this has me confused.  you said (i thought) you changed the rule to reject tcp/113, but the log shows it being passed through to another LAN host (is this still the one that does not exist?)  Also, it is useless to have a partial smtp trace.

joyfulway

Hi,

sorry, I realized last night I made a mistake when posting the pfsense screenshot. Will post the REJECT one as soon as I can.
The router is in Congo DRC which I've left yesterday evening. Will try to get someone to provide me the proper REJECT logs.

Thanks again for your help.