01-17-2011 05:25 AM
Info: New SMTP ICID 3607 interface smtp (x.x.x.x) address y.y.y.y reverse dns host y-y-y--y.zzz.zzzz.net verified no
Info: ICID 3607 ACCEPT SG None match ALL SBRS None
Info: ICID 3607 lost
Info: ICID 3607 close
We try to use a mail server to do SMTP-AUTH, looks like the connection is dropped before it
Any ideas why it happens
Tanks a lot
RW
01-17-2011 06:57 PM
Hi,
You mention your attempting SMTP-AUTH. We see , "connection lost, closed" in the mail logs, which does not really tell us a lot. I would recommend setting up a debug log so that you can see the full smtp conversation. Injection debug logs will show you much more verbose data about the incoming connection attempt. Below is some additional information on setting this up.
Each line within an Injection Debug Logs outlines data sent and received during the SMTP conversation.
To enable the Injection Debug Logs in the GUI
1. System Administration > Log Subscriptions
2. Select "Add log subscription..."
3. In the log type, select "Injection Debug Logs" and fill out the rest of the fields.
Note:
4. The number of SMTP sessions should be between 1-25.
To enable the Injection Debug Logs in the CLI
1. Enter the command logconfig > new.
2. Select "Injection Debug Logs."
3. Enter a name for this log (i.e. debugging_example)
4. Enter the hostname, IP address or block of IP addresses for which you want to record injection debug information. (i.e. mail1.example.com)
5. You will be asked for the number of SMTP sessions you want to record for this domain. A value between 1-25 is fine.
6. Enter the method to retrieve the logs. FTP Poll is fine.
7. Enter the filename. The default is fine.
8. Select the remaining defaults.
Below is an example of what an Injection Debug Logs looks like when the ESA accepts mail from a server.
The "Injection Debug Log" and"Domain Debug Log" are similar to the mail_logs. You can use the "grep" and "tail" commands on them.
Sent to '10.251.21.203': '220 ironportappliance ESMTP\r\n'
Rcvd from '10.251.21.203': 'EHLO outgoing.example.com\r\n'
Sent to '10.251.21.203': '250-nibbles.run\r\n250-8BITMIME\r\n250 SIZE 104857600\r\n'
Rcvd from '10.251.21.203': 'MAIL FROM:<jsmith@example.com>\r\n'
Sent to '10.251.21.203': '250 sender <jsmith@example.com> ok\r\n'
Rcvd from '10.251.21.203': 'RCPT TO:<test@example.org>\r\n'
Sent to '10.251.21.203': '250 recipient <test@example.org>ok\r\n'
Rcvd from '10.251.21.203': 'DATA\r\n'
Sent to '10.251.21.203': '354 go ahead\r\n'
Rcvd from '10.251.21.203': 'To: "test@example.org" <test@example.org>\r\nSubject: 12:14pm - test\r\nFrom: Hotel_Users <jsmith@example.com>\r\nContent-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15\r\nMIME-Version: 1.0\r\nContent-Transfer-Encoding: 7bit\r\nDate: Tue, 09 Jan 2007 12:14:35 -0800\r\nMessage-ID: <op.tlwk6lvgwomlp4@outgoing.example.com>\r\nUser-Agent: Opera Mail/9.10 (Win32)\r\n\r\ntest\r\n'
Rcvd from '10.251.21.203': '\r\n.\r\n'
Sent to '10.251.21.203': '250 ok: Message 270 accepted\r\n'
Rcvd from '10.251.21.203': 'QUIT\r\n'
Sent to '10.251.21.203': '221 nibbles.run\r\n'
I would recommend starting here so you can see a bit more about what is happening during the connection.
Christopher C Smith
CSE
Cisco IronPort Customer Support
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: