This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS event Same source/destination using POP3 Proxy

When using the POP3 proxy I'm getting alerts on the rule for "BAD-TRAFFIC same SRC/DST" SID=527.
This is my config for POP3 Proxy DNAT rules etc.

I host my mail server in a DMZ off of ASL and ASL is behind a router.
The router forwards ports (110 is among them) to the external interface of my ASL machine.
I have a DNAT rule:
SRC=Any, DST=external_IP SVC=POP3
Change SRC=No CHange
Change DST=Mailserver
Change SVC=No CHange
POP3 Proxy has one proxied network defined "SRC = Any, DST=External IP"

If I set it to proxy "SRC=Any, DST=Mailserver" it fails.

The proxy works fine but alerts on SID=527. Is my config messed up?

This thread was automatically locked due to age.

0 BarryG over 20 years ago

Hi Jim, I'm confused; why are you doing both NAT and proxy for POP3?
I'd think one or the other would work.

Nonetheless, that rule seems to trigger a lot for some people, myself included. I shut it off.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 JimmyM over 20 years ago in reply to BarryG

I'm doing NAT in ASL because when the incoming port 110 traffic arrives at the external interface, it doesn't know where the mail server is unless I tell it using a DNAT rule.
The POP3 proxy must be intercepting the 110 traffic before ASL DNATs the incoming traffic.

I'm also going to post a POP3 Proxy configuration question in the POP3 proxy forum.
Cancel
Vote Up 0 Vote Down

Cancel
0 DanielC over 20 years ago in reply to JimmyM

Hi,
I have the same problem here.
The strange thing is...I have 3 mailservers all serving POP (using external additional IP's) but only on one of them (a sendmail mailserver) do I get the problem...not on the other two (qmail)
So, maybe....there is a difference but I sure do not see why it is even relevant.

Daniel
Cancel
Vote Up 0 Vote Down

Cancel