Showing results for 
Search instead for 
Did you mean: 

SMTP issue

Level 1
Level 1

Info: New SMTP ICID 3607 interface smtp (x.x.x.x) address y.y.y.y reverse dns host verified no
Info: ICID 3607 ACCEPT SG None match ALL SBRS None
Info: ICID 3607 lost
Info: ICID 3607 close

We try to use a mail server to do SMTP-AUTH, looks like the connection is dropped before it

Any ideas why it happens

Tanks a lot


1 Reply 1


You mention your attempting SMTP-AUTH. We see , "connection lost, closed" in the mail logs, which does not really tell us a lot.  I would recommend setting up a debug log so that you can see the full smtp conversation.  Injection debug logs will show you much more verbose data about the incoming connection attempt. Below is some additional information on setting this up.

Each line within an Injection Debug Logs outlines data sent and received during the SMTP conversation.

To enable the Injection Debug Logs in the GUI
1.  System Administration > Log Subscriptions
2.  Select "Add log subscription..."
3.  In the log type, select "Injection Debug Logs" and fill out the rest of the fields.


  • CIDR addresses such as are allowed
  • IP address ranges such as are allowed, as are IP subnets such as 10.2.3
  • Hostnames  and wildcards, hostnames such as are allowed (but not and wildcards should be expressed as (without  an asterisk). When tracing incoming email the host name should match the  sender host, when tracing outgoing email the host name should match the  internal host name(s).

4.  The number of SMTP sessions should be between 1-25.

To enable the Injection Debug Logs in the CLI
1. Enter the command logconfig > new.
2. Select "Injection Debug Logs."
3. Enter a name for this log (i.e. debugging_example)
4.  Enter the hostname, IP address or block of IP addresses for which you  want to record injection debug information. (i.e.
5. You will be asked for the number of SMTP sessions you want to record for this domain.   A value between 1-25 is fine.
6. Enter the method to retrieve the logs. FTP Poll is fine.
7. Enter the filename. The default is fine.
8. Select the remaining defaults.

Below is an example of what an Injection Debug Logs looks like when the ESA accepts mail from a server.
The  "Injection Debug Log" and"Domain Debug Log" are similar to the  mail_logs. You can use the "grep" and "tail" commands on them.

Sent to '': '220 ironportappliance ESMTP\r\n'
Rcvd from '': 'EHLO\r\n'
Sent to '': '\r\n250-8BITMIME\r\n250 SIZE 104857600\r\n'
Rcvd from '': 'MAIL FROM:<>\r\n'
Sent to '': '250 sender <> ok\r\n'
Rcvd from '': 'RCPT TO:<>\r\n'
Sent to '': '250 recipient <>ok\r\n'
Rcvd from '': 'DATA\r\n'
Sent to '': '354 go ahead\r\n'
Rcvd  from '': 'To: ""  <>\r\nSubject: 12:14pm - test\r\nFrom: Hotel_Users  <>\r\nContent-Type: text/plain; format=flowed;  delsp=yes; charset=iso-8859-15\r\nMIME-Version:  1.0\r\nContent-Transfer-Encoding: 7bit\r\nDate: Tue, 09 Jan 2007  12:14:35 -0800\r\nMessage-ID:  <>\r\nUser-Agent: Opera  Mail/9.10 (Win32)\r\n\r\ntest\r\n'
Rcvd from '': '\r\n.\r\n'
Sent to '': '250 ok: Message 270 accepted\r\n'
Rcvd from '': 'QUIT\r\n'

Sent to '': '221\r\n'

I would recommend starting here so you can see a bit more about what is happening during the connection.

Christopher C Smith


Cisco IronPort Customer Support