"Protocol Violation" and "Last Command: XXXX . . ." are entries found in a Detail Report for Symantec SMTP product

Article:TECH82107  |  Created: 2004-01-29  |  Updated: 2007-01-02  |  Article URL http://www.symantec.com/docs/TECH82107
Article Type
Technical Solution

Issue



You installed a Symantec antivirus gateway product. The Detail Report contains the following two error messages:
"Protocol Violation"
“Last Command: XXXX hostname.domain.tld"


Symptoms
"Protocol Violation" and "Last Command: XXXX . . ." are entries found in a Detail Report for Symantec SMTP product You installed a Symantec antivirus gateway product. The Detail Report contains the following two error messages: "Protocol Violation" ?Last Command: XXXX hostname.domain.tld"



Cause



Cisco Pix Firewall running Mail Guard.

Solution



These log entries result from a firewall that alters a client command. An example is a Cisco Pix Firewall that uses a process named Mailguard. Mailguard in versions before 4.2 used the command "mailhost" to change the configuration. In versions 4.2 or later the command is "fixup protocol smtp 25" to change the configuration.

When you configure Mailguard to perform a command-masking function on any SMTP command, the Detail Report contains a log entry. Consult your firewall documentation for steps on how to disable this function.
For additional information go to Cisco Support Web site:
http://www.cisco.com/univercd/home/home.htm

To locate the error entries in a Detail Report for the Symantec SMTP product
In the Detail Report, use the search option. Search for XXXX (four Xs) to locate the error entry. An example of an error entry in a Detail Report follows.

13-Feb-2004 13:00:00  Action: Protocol Violation  Client: 101.101.101.101  Connection ID: 102  
Info:
Unknown command.  Last Command: XXXX hostname.domain.tld  

Example of a transaction:

Normal Transaction:
220 savsmtp.yourdomain.com SMTP; Mon, 29 Mar 2004 09:29:34 -0800
helo senderserver.domain.com
250 savsmtp.yourdomain.com Hello

Abnormal Transaction:
220 savsmtp.yourdomain.com SMTP; Mon, 29 Mar 2004 09:29:34 -0800
XXXX sendingserver.domain.com
500 Syntax error, command unrecognized.

The latter transaction resulst in the protocol violation in the Detailed Report.

Possible problems
If a server does not recognize the error response from the Symantec SMTP product, the SMTP transmission process does not complete. The server may continue to wait for a 200 series response to the last command. The result can lead to a disconnection from the sending server in five minutes. The sending server attempts to resend the message.

In the Symantec SMTP product Detail Report, an entry is written for each disconnect. A client can have an entry written every five minutes. If the server has a large number of connections to your email gateway, these violations can cause a performance problem. If the performance degrades, then disable the Mailguard software.




References
For additional information go to Cisco Support Web site:

http://www.cisco.com/univercd/home/home.htm



Technical Information
To locate the error entries in a Detail Report for the Symantec SMTP product

In the Detail Report, use the search option. Search for XXXX (four Xs) to locate the error entry. An example of an error entry in a Detail Report follows.

13-Feb-2004 13:00:00  Action: Protocol Violation  Client: 101.101.101.101  Connection ID: 102  
Info:
Unknown command.  Last Command: XXXX hostname.domain.tld  

Example of a transaction:

Normal Transaction:
220 savsmtp.yourdomain.com SMTP; Mon, 29 Mar 2004 09:29:34 -0800
helo senderserver.domain.com
250 savsmtp.yourdomain.com Hello

Abnormal Transaction:
220 savsmtp.yourdomain.com SMTP; Mon, 29 Mar 2004 09:29:34 -0800
XXXX sendingserver.domain.com
500 Syntax error, command unrecognized.

The latter transaction resulst in the protocol violation in the Detailed Report.

Possible problems
If a server does not recognize the error response from the Symantec SMTP product, the SMTP transmission process does not complete. The server may continue to wait for a 200 series response to the last command. The result can lead to a disconnection from the sending server in five minutes. The sending server attempts to resend the message.

In the Symantec SMTP product Detail Report, an entry is written for each disconnect. A client can have an entry written every five minutes. If the server has a large number of connections to your email gateway, these violations can cause a performance problem. If the performance degrades, then disable the Mailguard software.




Legacy ID



2004032909152854


Article URL http://www.symantec.com/docs/TECH82107


Terms of use for this information are found in Legal Notices