Firebox denying access to our internet provider email

edited June 25 in Firebox - Other

Hi, i have a firebox M290 running latest software version 12.10.3 b

For some reason we have started having problems sending out emails through our internet provider and we are getting the following message which i think is generated by the firewall.
we are unable to telnet into the provider email server as it is being blocked. (access through outlook) We had not made any changes to firewall or software for weeks and this just started to happen 2 days ago.

It says it is from the system administrator

Your message did not reach some or all of the intended recipients.

  Subject:  test
  Sent: 2024-06-25 10:13 AM

The following recipient(s) cannot be reached:

  '--removed--' on 2024-06-25 10:13 AM
        Server error: '450 4.7.1 Error: too many recipients from --removed--'

Below is the string that we see in the traffic log which shows it is being blocked.

2024-06-25 10:12:31 Deny --removed-- --removed-- echo-request/icmp Bell Fibe Firebox Denied 84 55 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" duration="0" sent_bytes="84" rcvd_bytes="0" type="8"

This just started happening a couple days ago and the provider says that is is a our system blocking access.. Any ideas on if i need to adjust something or make a new policy to allow this and stop the deny would be greatly appreciated....

Gary Scott

Comments

  • edited June 25

    additional info

    2024-06-25 10:38:32 Deny --removed-- --removed--.26 pop3/tcp 52866 110 Trusted Bell Fibe ProxyDeny: POP3 timeout (POP3-proxy-00) proc_id="pop3-proxy" rc="595" msg_id="21FF-0009" proxy_act="POP3-Client.1"

  • edited June 25

    "too many recipients" - this is from the receiving server.
    Contact your mail server company to find out what the limit is, and inform your users of this limit.

    This is a ping from --removed--, which is not allowed by your firewall policies

    POP3 timeout - just says that the timeout value for this session has been reached. Could be caused the server no longer responding.

    More info is needed to really understand this.
    Are any email sends working?

    Consider opening a support case the get WG help in understanding and resolving this.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @GARYMN

    If you're running beta software, please post to the beta site at watchguard.centercode.com.

    The error you're seeing is likely from the mail server that you're sending to, not the firewall.
    If you'd like to verify this, please open a support case.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @GARYMN Additionally, in the future, please ensure that you are sanitizing your logs. I've removed both your email address and your IP address from your post.

    -James Carson
    WatchGuard Customer Support

  • Ok thanks, i will make sure to do that and it is not beta that i know. It says latest version that was available for download.

  • Hi, i have been having this issue with our internet provider for a few days. They are saying that spam is coming from our network and then block us. i took the supposed offending computer offline and emails were sending for a few hours now it has same issue. The internet provider is claiming i need to monitor my smtp requests to find offending computers that are sending too many emails?

    Port 587 does not display on Watchguard Web ui destination port or traffic monitor. I read that it is nested with port 443. I have no internal email server or smtp firewall policy. Is there a way that i am able to monitor port 587 on the Web ui or see the requests from the computer. I do not have a log server or dimension running. Thanks for any help.... Watchguard M290 Version 12.10.3

  • edited June 26

    You can add a Custom Packet filter for TCP port 587.
    Add that as a policy to your config - From: Any-trusted, Any-optional To: Any-external (or your external email server's IP addr).
    Then turn on Logging on this policy to see the sending IP addrs in Traffic Monitor.

    Create or Edit a Custom Policy Template
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policy_create_custom_c.html

    You can set up a Syslog server for logging. There are a number of free ones available. Do an Internet search.
    Define Where the Firebox Sends Log Messages
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/set_up_logging_on_device_wsm.html

    And if you have a current Basic or Total Security license, you can add your firewall to WG cloud, which includes logging. 1 day for Basic, 30 days for Total.

    Add a Locally-Managed Firebox to WatchGuard Cloud
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/device_add_locally_managed.html

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @GARYMN

    If you're doing mail transport over port 443, the firebox won't be able to log anything specific for mail as it can't really differentiate that traffic from HTTPS (because it's probably HTTPS.) Enabling content inspection could potentially help, but if the mail traffic isn't actually HTTPS, the proxy will end up dropping it. Since the HTTPS proxy isn't designed for mail, it isn't going to do anything specific for mail (like show sender/recipient addresses, etc.)

    If you're sending mail over normal SMTP, the SMTP proxy can log additional information about the mail provided logging is turned on for the SMTP proxy.

    If you're using a cloud email provider, IMAP may be an option. There are similar logging options for the IMAP proxy.

    -James Carson
    WatchGuard Customer Support

  • To see more traffic monitor logs that are shown in what Web UI, you can install Windows based WatchGuard System Manager, which includes Firebox System Manager - which has Traffic Monitor tab, among other features.
    You can increase the max logs shown in FSM from the default up to 25,000.
    FSM needs to be running to continually get lots of logs from the firewall.
    Otherwise once FSM starts, it can only get what is currently in the firewall memory.

    Device Log Messages (Traffic Monitor)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_msgs_traffic_mon_wsm.html

  • I have watchguard system manager installed. I just talked with internet provider again and they have suggested to look for heavy outgoing traffic from specific ip. We have a vpn running as well so not sure how to tell which system on network might be spamming. Any suggestions would be greatly appreciated. Will start running the manager as suggested...

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The firewatch tool in the WebUI shows realtime connections (the larger the box, the more data is being sent.)

    (FireWatch)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/firewatch_web.html

    There's an older tool in Firebox System Manager called HostWatch that does something similar.

    (About hostwatch)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/hostwatch_about_wsm.html

    Either can help you locate high bandwidth machines on the network.

    -James Carson
    WatchGuard Customer Support

  • Look at
    . FSM -> Host Watch - you can sort on various columns, including Rate, which shows the current transfer rate
    . FSM -> Service Watch show the current use of your policies
    . Web UI -> Dashboard -> Firewatch - shows the highest use source IP addr by rate or bytes, plus other options ...

    Note that if much of your outgoing traffic is using the Outgoing policy, then you can't know what traffic is using it without turning on Logging on that policy.

  • Not sure how to spot which ip might be causing this spamming as the users on vpn are opening and saving large files and others users might have open internet sessions and downloading... Any ideas what to look for....I am currently in hostwatch. I am use to Web ui but we have very active connections not sure how to spot which might be spamming.

  • edited June 26

    Create the TCP port 587 policy with Logging enabled.
    In FSM Traffic Monitor, in the Search box, enter 578 preceded and followed by a space.
    You will end up with a list over time of all of the source IP addrs which are sending out mail via that port.

  • Thanks... Trying to add policy but need assistance. In Web ui i have selected
    firewall policies, add firewall policy, select packet filter Tcp but not able to enter 587 in port field it is locked. do i have to add policy then edit and add logging.

  • Select Custom

  • Thanks

Sign In to comment.