[svlug] Gateway/Linux box intercepting email?

Skip Evans skip at venomouspenguin.com
Tue Dec 6 15:17:47 PST 2005

Previous message: [svlug] Gateway/Linux box intercepting email?
Next message: [svlug] Gateway/Linux box intercepting email?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Andrew,

Okay, I think I learned how to do a tcpdump on port 25. 
I had it going and asked the client to attempt send me 
an email. This is what came out, but I'm not sure what 
it means:

[root at linux1 root]# tcpdump tcp dst port 25
tcpdump: listening on eth0
16:14:12.993800 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: S 22234858:22234858(0) win 8192 <mss 
1460,nop,nop,sackOK> (DF)
16:14:12.993929 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: . ack 1348567544 win 8760 (DF)
16:14:12.999028 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: P 0:12(12) ack 39 win 8722 (DF)
16:14:13.147499 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: . ack 61 win 8700 (DF)
16:14:13.148531 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: P 12:41(29) ack 91 win 8670 (DF)
16:14:13.149635 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: P 41:78(37) ack 113 win 8648 (DF)
16:14:13.150028 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: P 78:84(6) ack 138 win 8623 (DF)
16:14:13.151546 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: P 84:1291(1207) ack 175 win 8586 (DF)
16:14:13.187218 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: P 1291:1296(5) ack 175 win 8586 (DF)
16:14:13.198935 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: P 1296:1302(6) ack 181 win 8580 (DF)
16:14:13.199220 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: . ack 197 win 8565 (DF)
16:14:13.199404 pc-00035.butte.com.1906 > 
mail.MT.net.smtp: F 1302:1302(0) ack 197 win 8565 (DF)

mail.mt.net is the mail server, and it looks to me as 
if it is responding, but how do I know if it is correct?

Skip

Andrew Chant wrote:
> Hi Skip,
> it looks like the order of the rules in the firewall is messed up.
> Is there anyway you could get the user to flush all the firewall rules 
> and re-run the scripts ( I hope this is set up with scripts) used to set 
> them all up?
> 
> It looks to me like, indeed, there is DNAT going on to an SMTP server 
> running on linux1.butte.com
> linux1.butte.com looks like it *should* be forwarding all smtp mail to 
> buttepro.static.mt.net
> 
> maybe that's where the problem is occuring? perhaps run a tcpdump 
> scanning for port 25 traffic outbound from linux1.butte.com to 
> buttepro.static.mt.net
> send an email, and see if it leaves.  If thats the case, its not your 
> client's setup thats a problem, its buttepro.static.mt.net
> 
> otherwise you've got some SMTP config to look at :D
> 
> -Andrew ( should probably have asked you to obfuscate the IPs/Names a 
> little) Chant
> 
> 
>>
>> Chain SMTPProxy (1 references)
>> target     prot opt source               destination
>> ACCEPT     all  --  anywhere             localhost
>> ACCEPT     all  --  anywhere             linux1.butte.com
>> ACCEPT     all  --  anywhere buttepro.static.mt.net
>> DNAT       tcp  --  anywhere             anywhere      to:192.168.6.50:25
> 
> 
> 
>

Previous message: [svlug] Gateway/Linux box intercepting email?
Next message: [svlug] Gateway/Linux box intercepting email?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list