Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25
  1. #11
    Untangler
    Join Date
    Aug 2013
    Posts
    31

    Default

    I'm guessing you are talking about the message tracking logs in exchange, right? I've looked but the email does not show up at all. I have also looked at the exchange agentlogs, message tracking logs, and protocol logs.
    Quote Originally Posted by sky-knight View Post
    No, it means it didn't bother to look at it because it was too big.

    You're looking in the wrong place, you need to be looking at the SMTP logs on your mail server.
    Last edited by alexserenity; 08-06-2014 at 09:00 AM.

  2. #12
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    NGFW does not accept the mail and then forward it - it inspects the connection between the client and server.
    If the firewall sees a message its because the client and server are interacting directly.
    If you see a event in the event log it means the client and server had an extensive conversation.

    If you aren't see anything in the logging on the email server, then the logging is not working.
    You need to figure out how to enable logging. Worst case, just figure out a repeatable case and use tcpdump/wireshark to watch the session.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #13
    Master Untangler
    Join Date
    Aug 2008
    Posts
    639

    Default

    FWIW, I am seeing similar results on my 9.4.2 box running the paid version of Spam Blocker. Like you, the message doesn't appear in the message tracker. I was able to locate the related entries in the smtp log:
    Code:
    2014-08-06 15:22:20 98.136.218.92 nm10-vm1.bullet.mail.gq1.yahoo.com SMTPSVC1 MY-SERVER 192.168.1.1 0 EHLO - +nm10-vm1.bullet.mail.gq1.yahoo.com 250 0 270 39 266 SMTP - - - -
    2014-08-06 15:22:20 98.136.218.92 nm10-vm1.bullet.mail.gq1.yahoo.com SMTPSVC1 MY-SERVER 192.168.1.1 0 MAIL - +FROM:<sender@senderdomain.com> 250 0 53 40 0 SMTP - - - -
    2014-08-06 15:22:20 98.136.218.92 nm10-vm1.bullet.mail.gq1.yahoo.com SMTPSVC1 MY-SERVER 192.168.1.1 0 RCPT - +TO:<me@mydomain.com> 250 0 39 36 0 SMTP - - - -
    2014-08-06 15:22:25 98.136.218.92 nm10-vm1.bullet.mail.gq1.yahoo.com SMTPSVC1 MY-SERVER 192.168.1.1 0 QUIT - nm10-vm1.bullet.mail.gq1.yahoo.com 240 6203 46 4 16 SMTP - - - -
    2014-08-06 15:23:00 98.136.218.92 nm10-vm1.bullet.mail.gq1.yahoo.com SMTPSVC1 MY-SERVER 192.168.1.1 0 EHLO - +nm10-vm1.bullet.mail.gq1.yahoo.com 250 0 270 39 0 SMTP - - - -
    2014-08-06 15:23:00 98.136.218.92 nm10-vm1.bullet.mail.gq1.yahoo.com SMTPSVC1 MY-SERVER 192.168.1.1 0 QUIT - nm10-vm1.bullet.mail.gq1.yahoo.com 240 391 76 5 0 SMTP - - - -
    In the UT logs, this message is given a score of -2.2 and shows as "pass message". Most messages are being delivered as expected. Any ideas why the QUIT command would be sent before the DATA command in these instances?

  4. #14
    Untangler
    Join Date
    Aug 2013
    Posts
    31

    Default

    dmorris, What I meant to say is, the logs are working and there is data in the logs. However, I don't see that specific email in the logs, period.

  5. #15
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,546

    Default

    As I understand it, that can only happen if tarpitting is enabled. And tarpitting should be disabled generally.

    But, the log information you've posted from Untangle indicates your mail server had the conversation. if you can't find the relevant portion of SMTP log, either you're missing it or the logging isn't complete.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #16
    Newbie
    Join Date
    Feb 2008
    Posts
    5

    Default

    I think this issue might be related to a recent change. The problem described by this user's post is similar: http://community.spiceworks.com/topi...-exchange-2010

    We have also started seeing the exact same symptoms in our production environment about a week ago. We removed the intrusion blocker and the one email account was fixed, but now we have about a dozen more reports from other @yahoo.com customers. Seems to be specific to yahoo accounts. Tarpitting is not enabled on our untangle box.

    Quite aggravating, so if anyone has advice it would certainly be appreciated. Thanks!

    Thanks!

  7. #17
    Master Untangler
    Join Date
    Aug 2008
    Posts
    639

    Default

    Interesting... I too have encountered the "disappearing message" issue. Looks like it may be due to rule 11837. Can anyone else confirm? I briefly read the MS writeup here. Is this still a valid threat 7 years later?

  8. #18
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,761

    Default

    By default IPS is off which is the recommended state unless you have a specific reason to use it.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #19
    Master Untangler
    Join Date
    Aug 2008
    Posts
    639

    Default

    Quote Originally Posted by jcoffin View Post
    By default IPS is off which is the recommended state unless you have a specific reason to use it.
    Is this documented somewhere? I checked the Wiki and didn't see anything obvious (although I did find that the Snort rules link is bad). How does the average person know that they shouldn't be running IPS?

  10. #20
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,546

    Default

    Because it installs and is off by default.

    If you're an "average user" operating a network UTM, and you don't know what an IPS is, and what an IPS does you're getting into a realm where you're beyond help. IPS always requires constant attention and tuning, doesn't matter what product it's on.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2