Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 24 replies
  • Subscribers 0 subscribers
  • Views 5963 views
  • Users 0 members are here
Options
Suggested

[8.162][NOTABUG][CLOSED] Unable to release emails

wingman
Hi All

I am unable to release/whitelist emails from quarantine via the email. I am able to release/whitelist them via the mail Manager 

I am getting the following error on my chrome

http://**********:3840/release.plc?proto=pop3&id=1573&whitelist=1&secure=f377cfd3c5b29ad89e16330765a3b229

I've found out that this is logged as spoofed packet on my packet filter

2011:04:13-18:15:35 **** ulogd[5177]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.**.***" dstip="86.***.***.30" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="49508" dstport="3840" tcpflags="SYN" 



My spoof protection is set to strict. Is that normal behaviour? Setting the protection back to "normal" resolved the issue

Thanks
Parents
  • 0
    I am logged in to my ASG using the dyndns name and everything workd fine. As soon as I enable spoof protection to strick I am unable to browse to my ASG via dyndns name and therefore have to go via internal address and I am unable to release emails. I have attached the relevant pf log which shows both cases. Port 3840 is for astaro release email

    2011:06:15-19:37:44 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="40" tos="0x00" prec="0x00" ttl="128" srcport="49828" dstport="4444" tcpflags="RST" 
    2011:06:15-19:37:44 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="49845" dstport="4444" tcpflags="SYN" 
    2011:06:15-19:37:55 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49857" dstport="4444" tcpflags="SYN" 
    2011:06:15-19:37:57 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49861" dstport="4444" tcpflags="SYN" 
    2011:06:15-19:37:58 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49857" dstport="4444" tcpflags="SYN" 
    2011:06:15-19:38:00 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49861" dstport="4444" tcpflags="SYN" 
    2011:06:15-19:38:04 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="49857" dstport="4444" tcpflags="SYN" 
    2011:06:15-19:38:06 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="49861" dstport="4444" tcpflags="SYN" 
    2011:06:15-19:38:15 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="40" tos="0x00" prec="0x00" ttl="128" srcport="49828" dstport="4444" tcpflags="RST" 
    2011:06:15-19:38:49 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49892" dstport="3840" tcpflags="SYN" 
    2011:06:15-19:38:52 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="49892" dstport="3840" tcpflags="SYN" 
    2011:06:15-19:38:58 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="49892" dstport="3840" tcpflags="SYN" 
  • 0 in reply to wingman
    I am logged in to my ASG using the dyndns name and everything workd fine. As soon as I enable spoof protection to strick I am unable to browse to my ASG via dyndns name and therefore have to go via internal address and I am unable to release emails. I have attached the relevant pf log which shows both cases. Port 3840 is for astaro release email 
    2011:06:15-19:37:44 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="40" tos="0x00" prec="0x00" ttl="128" srcport="49828" dstport="4444" tcpflags="RST" tcpflags="SYN" 


    Works as intended.  From documentation:

    The firewall will also drop and log all packets which have a destination IP for an interface but arriving on an interface other than assigned

    And this is exactly what is happening here:
    A packet with the destination address of the external interface
    arrives on an interface other than the external one.

    Do not use strict mode if you want to access the asg using its public address from the internal network.
Reply
  • 0 in reply to wingman
    I am logged in to my ASG using the dyndns name and everything workd fine. As soon as I enable spoof protection to strick I am unable to browse to my ASG via dyndns name and therefore have to go via internal address and I am unable to release emails. I have attached the relevant pf log which shows both cases. Port 3840 is for astaro release email 
    2011:06:15-19:37:44 *****  ulogd[5222]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth1.10" srcmac="0:1f:c6:e2:c5:1d" dstmac="0:b0:c2:2:e4:4f" srcip="192.168.2.3" dstip="86.184.203.133" proto="6" length="40" tos="0x00" prec="0x00" ttl="128" srcport="49828" dstport="4444" tcpflags="RST" tcpflags="SYN" 


    Works as intended.  From documentation:

    The firewall will also drop and log all packets which have a destination IP for an interface but arriving on an interface other than assigned

    And this is exactly what is happening here:
    A packet with the destination address of the external interface
    arrives on an interface other than the external one.

    Do not use strict mode if you want to access the asg using its public address from the internal network.
Children
No Data
Unfiltered HTML