Data Loss Prevention

 View Only

  • 1.  DLP Email Prevent Close connection with forward host

    Posted Feb 05, 2017 05:06 AM

    hi, 

    Im imprementing an email prevent server in reflected mode (postfix --> MTA --> email prevent --> MTA), but i have some trouble, the email prevent server close connection just after the connection is established with it ( either when i test direct connection to email server from postfix using telnet ) there it is the log : 

    05/févr./17:10:42:13:875+0100 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=27 cid=f9fb7e3e-22bf-4c23-85c1-529d3a677f76 local=xx.xx.xx.xx:10025 remote=yy.yy.yy.yy:46986)
    05/févr./17:10:42:13:879+0100 [SEVERE] (SMTP_CONNECTION.5210) All forward hosts unavailable (tid=27 cid=<> reason=Connexion refusée)
    05/févr./17:10:42:13:880+0100 [INFO] (SMTP_CONNECTION.1205) Service connection closed (tid=27 cid=f9fb7e3e-22bf-4c23-85c1-529d3a677f76 local=xx.xx.xx.xx:10025 remote=yy.yy.yy.yy:46986 messages=0 time=0,01s)
    05/févr./17:10:46:52:258+0100 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=2b cid=937a7c8e-16ab-454c-a3cc-3db7a596cced local=xx.xx.xx.xx:10025 remote=yy.yy.yy.yy:45730)
    05/févr./17:10:46:52:261+0100 [SEVERE] (SMTP_CONNECTION.5210) All forward hosts unavailable (tid=2b cid=<> reason=Connexion refusée)
    05/févr./17:10:46:52:262+0100 [INFO] (SMTP_CONNECTION.1205) Service connection closed (tid=2b cid=937a7c8e-16ab-454c-a3cc-3db7a596cced local=xx.xx.xx.xx:10025 remote=yy.yy.yy.yy:45730 messages=0 time=0s)

    The iptables in the Email Prevent :

    Table : nat
    Chain PREROUTING (policy ACCEPT)
    num  target     prot opt source               destination
    1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 redir ports 10025
    2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 redir ports 8443

    Chain POSTROUTING (policy ACCEPT)
    num  target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    REDIRECT   tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:443 redir ports 8443

    Table : filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    Vontu-INPUT  tcp  --  0.0.0.0/0            0.0.0.0/0

    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination

    Chain Vontu-INPUT (1 references)
    num  target     prot opt source               destination
    1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443

     



  • 2.  RE: DLP Email Prevent Close connection with forward host

    Posted Feb 07, 2017 02:52 PM

    The Email Prevent server is unable to establish a connection to the next hop (back to the MTA), so it's closing the connection. IP tables output looks fine.

    • On Email Prevent, telnet to port 10026 on MTA to see if it's open, if it's not open;
      • Make sure the hostname is correct, try IP.
      • By default Email Prevent will reflect back the MTA on port 10026, ensure there is a listener configured on the MTA to accept this reflection. (You can change via Server Settings > RequestProcessor.MTAResubmitPort)
      • Make sure 10026 is also allowed through any network-based firewall.
      • Make sure the MTA has Email Prevent as an allowed relay host, if applicable (typically used to restrict what can relay through your MTA internally)

    Hope this helps.

     



  • 3.  RE: DLP Email Prevent Close connection with forward host

    Posted Feb 08, 2017 07:08 AM

    What do you see when you telnet to it now?

    If you're just connecting via telnet and not sending a message or you're exiting the telnet session, then it's going to close.



  • 4.  RE: DLP Email Prevent Close connection with forward host

    Posted Feb 08, 2017 07:49 AM

    thanks for replying.

    first the prevent email is configred to sent msg on port 25 not 10026 (because MTA listen just on 25 ) 

    After checking  i found that the firewall was blocking connection to MTA on port 25 so i allawed this connection then the error is gone but the Email Prevent still close connection :

    SmtpPrevent_operational0.log : 

    /17:10:11:10:005+0100 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=28 cid=6c4b7acd-e59f-4a55-9ad7-85fa52aef2b4 local=xx.xx.xx.xx:10025 remote=yy.yy.yy.yy:49349)
    08/févr./17:10:11:10:015+0100 [INFO] (SMTP_CONNECTION.1203) Forward connection established (tid=28 cid=42dfc2ea-4ce4-4907-969c-e70f5e5fdf6e local=xx.xx.xx.xx:60482 remote=yy.yy.yy.yy:25)
    08/févr./17:10:11:10:056+0100 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=2e cid=c96ac628-9a0f-4602-a9bf-bfa88037d214 local=xx.xx.xx.xx:10025 remote=yy.yy.yy.yy:49350)
    08/févr./17:10:11:10:062+0100 [INFO] (SMTP_CONNECTION.1203) Forward connection established (tid=2e cid=7f5a61fe-99af-4130-96f6-04483020ddef local=xx.xx.xx.xx:60484 remote=yy.yy.yy.yy:25)
    08/févr./17:10:11:10:537+0100 [INFO] (SMTP_CONNECTION.1204) Forward connection closed (tid=28 cid=42dfc2ea-4ce4-4907-969c-e70f5e5fdf6e local=xx.xx.xx.xx:60482 remote=yy.yy.yy.yy:25)
    08/févr./17:10:11:10:539+0100 [INFO] (SMTP_CONNECTION.1205) Service connection closed (tid=28 cid=6c4b7acd-e59f-4a55-9ad7-85fa52aef2b4 local=xx.xx.xx.xx:10025 remote=yy.yy.yy.yy:49349 messages=0 time=0,53s)
    08/févr./17:10:11:10:587+0100 [INFO] (SMTP_CONNECTION.1204) Forward connection closed (tid=2e cid=7f5a61fe-99af-4130-96f6-04483020ddef local=xx.xx.xx.xx:60484 remote=yy.yy.yy.yy:25)
    08/févr./17:10:11:10:589+0100 [INFO] (SMTP_CONNECTION.1205) Service connection closed (tid=2e cid=c96ac628-9a0f-4602-a9bf-bfa88037d214 local=xx.xx.xx.xx:10025 remote=yy.yy.yy.yy:49350 messages=0 time=0,53s)

     



  • 5.  RE: DLP Email Prevent Close connection with forward host

    Posted Feb 08, 2017 08:01 AM

    telnet to which server ? the email prevent ?

    from postdix to email prevent : 

    [root@DSSI ~]# telnet emailprevent 25
    Trying emailprevent...
    Connected to emailprevent.
    Escape character is '^]'.
    220 ******************************************

    log : 


    08/févr./17:13:59:31:474+0100 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=26 cid=b0747e1e-9967-4f58-95fc-4ce529b74b81 local=10.6.97.216:10025 remote=10.5.103.131:47075)
    08/févr./17:13:59:31:501+0100 [INFO] (SMTP_CONNECTION.1203) Forward connection established (tid=26 cid=f1210da0-bb7f-488e-93e3-0e083135abd6 local=10.6.97.216:45330 remote=10.5.101.17:25)

     

    the email prevent dose not close the connection.

     

     

     



  • 6.  RE: DLP Email Prevent Close connection with forward host
    Best Answer

    Posted Feb 09, 2017 02:25 AM

    I resolved the problem the cause was a miss configuration on the MTA, thanks all :) ( the MTA was blocking the email prevent from replying to him )



  • 7.  RE: DLP Email Prevent Close connection with forward host

    Posted Feb 09, 2017 03:30 AM

    Mark the post as resolved please, I mentioned that in first reply :)