PFSense Locking SMTP



  • Have a customer been working great, then last week they added about 6 more employees to the building. Now when they go to send email via SMTP it just locks and hangs and about ever hour or 2 it will just randomly send out. I have changed outbound SMTP servers to 2 different providers and happens the same with both providers. I have even setup the SMTP to use the IP and not the DNS names and still same issue. Im not sending out via port 25 but port 587. I have contacted the internet provider and they arent blocking ports. I have put just a basic linksys router in place and can send and receive fine. I see in the state tables there is a timeout on the connections for port 587. I thought possibly had bad hardware so replaced the pfsense with another one and did a clean config and manually entered all the rules and still have the same issues. Is anyone else having this problem or know how to fix it?



  • I have pfsense in front of 2 zimbra and one exchange server and there is no problem sending or receiving mail.
    What version are you running? What other packages do you have installed?



  • SMTP only allows 1 email client to connect to an account at a time. This is per the RFC

    This is not pfSense doing this. Your email server is locking the account to the first client device on an account that checks for new email. The second client device (same account) trying at the same instant will get the lockout message.

    Check the thread below for more info.

    http://www.hmailserver.com/forum/viewtopic.php?f=7&t=23818&start=0&hilit=locked


  • Netgate Administrator

    That link appears to be a problem specific to pop3 not SMTP. Am I missing something?

    @kewing75: The only thing that changed was the company added more employees? Presumably they got new emails addresses etc?

    Steve



  • @podilarius Im Running 2.0.2. And Normally we run squid on the box to do transparent proxy but on the new box we dont have it running. I saw people saying they had issues sending when they had squid running but never installed it on the new box hoping it would correct the problem.

    @Stephenw Yes all the new employees have new email addresses.

    Yesturday if i went into the state table and removed the entries for the external smtp server that had the TIME_WAIT:TIME_WAIT state they could hit send and receive on the outlook client were able to send out again. I have changed the Firewall Optimization to Aggressive to try and drop these connections faster.



  • Wow- Thats what happens when I try and answer a post after a 16 hour day I guess.  Totally misread that last night. Sorry!



  • Not only that but the OP says it works fine with a basic Linksys router in place rather than pfSense.

    Was the Linksys connected with the same cables and switch ports etc?  A long shot I know.



  • Yes the linksys was hooked with same cables. Only problem is the PFSense has VPN connections to the other 4 branches (vpn only used for connection back to AS400) So i could only test for about an hour. I talked with them today and havent had any issues yet today but alot of the staff is on vacation today and tomorrow so probably wont truely know till monday if setting firewall to aggressive has fixed the issue.



  • After everyone is back to work today SMTP traffic was getting locked up in the firewall again. I had an extra static IP from the ISP so programmed up a linksys router and put a static route in for the SMTP server and routing all SMTP traffic out the Linksys router and everything is running fine since i have done this. Im showing the routes in the state table showing ESTABLISHED:ESTABLISHED then they clear out once the client is done sending mail. I saw a similar post on this but it was in french or spanish so couldnt get all the information from that post. Any help would be great.



  • pfSense has no ALG that might interfere with SMTP protocol, so there should be no difference between using port 25 or 587 for submission.

    This appears to be a "stale states" issue, but I can't imagine why. Do you utilize policy-based-routing, or multiWAN, or WAN IP change etc?

    Also when experiencing this issue, could you please check states (e.g. using pfctl -ss | fgrep :587 or smtp host-ip) ?

    I don't think that setting the pf state optimization algo to "aggressive" will really help, because TCP timeouts will still be quite long, let alone that it might backfire in other ways …



  • Well in a new situation the linksys router locked after being in place for about 6 hours then i switched everything around to go out the PFSense firewall again and all working. Im going to guess after a few hours the PFSense will lock again. There is something else going on internally.



  • Found the issue. I combed through all 2500 state table entries and found that our firewall was being bombarded by incoming port udp 53 (DNS) traffic. This for some reason was causing issues with connecting to our SMTP provider. After blocking inbound DNS traffic from the 3 external IP addresses my state table went down to about 300 states and havent had an issue since. Im having the client run virus and malware scans on their PC's to see if there is a possible virus on their systems that was causing this issue. Thanks for all your help everyone


  • Netgate Administrator

    Hmm, interesting.
    Incoming DNS queries should be blocked by default anyway (like anything else). I assume you hadn't opened port 53 deliberately.
    Perhaps it's related to the on going record breaking DDOS against Spamhaus. They are using DNS amplification with open DNS servers, check you don't have some misconfigured dns server internally.
    Interesting that the linksys router appeared less susceptible.  :-\

    Steve


Locked