Spam filter not working, incoming e-mails not in SMTP log

I'm not sure when, but a couple-ish weeks ago I noticed a lot of spam e-mails coming in. I checked the SMTP logs and I don't see any incoming e-mails being logged even though the UTM seems to be relaying them to the internal e-mail server. I see random connections from addresses such as:

019:06:14-09:50:56 utm exim-in[5528]: 2019-06-14 09:50:56 SMTP connection from [107.170.202.224]:34776 (TCP/IP connection count = 1) 2019:06:14-09:51:00 utm exim-out[25083]: 2019-06-14 09:51:00 Start queue run: pid=25083 2019:06:14-09:51:00 utm exim-out[25083]: 2019-06-14 09:51:00 End queue run: pid=25083 2019:06:14-09:51:06 utm exim-in[25079]: 2019-06-14 09:51:06 TLS error on connection from [107.170.202.224]:34776 (SSL_accept): error:00000000:lib(0):func(0):reason(0) 2019:06:14-09:51:06 utm exim-in[25079]: 2019-06-14 09:51:06 TLS client disconnected cleanly (rejected our certificate?)

And I see outgoing e-mails being relayed but incoming e-mails aren't showing up in the log. Any ideas why this would be?

  • It sounds like you have activated a DNAT that forwards the inbound traffic.  See #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

  • In reply to BAlfson:

    I didn't touch my DNAT rules before the spam filter stopped working. I've gone through my DNAT rules a bunch of times and the only e-mail related rules are for IMAP. I don't remember making any changes recently to my UTM configuration. I just started getting a lot of penis pill e-mails and went to investigate and it looks like incoming e-mails just randomly stopped getting inspected May 15th. Is there a config file I can look at though SSH to make sure the web interface isn't lying to me about my DNAT rules?

  • In reply to BAlfson:

    So with no DNAT rule for SMTP ports the incoming e-mail is getting through with SMTP proxy enabled and disabled... What do I check with this behavior?

  • In reply to 0xDECAFBAD:

    The product works quite predictably, but I cannot comment on your problem from limited information, some of which sounds impossible.

      You need to spend a lot of time studying the manuals, the supplemental information in the WiKi and pinned to the top of each forum section, and reviewing the system logs.   Firewalls are critically important to get right on tbe first try, so your best move may be to find a consultant or a mentor.

  • In reply to 0xDECAFBAD:

    "the incoming e-mail is getting through with SMTP proxy enabled and disabled"

    Assuming that your mail server has an internal IP instead of a public one, the only way this can happen with a UTM is if there's a NAT rule.

    Otherwise, reboot several times, make a new config backup and restore the backup made just before you last applied Up2Dates.

    Any new news?

    Cheers - Bob

  • In reply to BAlfson:

    I tried rebooting a couple of times. No change. I can try restoring the config from a backup tomorrow and see if that fixes it. Here's the NAT rules according to the OS. Nothing SMTP related.

     

    utm:/root # sudo iptables -t nat -L -n -v
    Chain PREROUTING (policy ACCEPT 111K packets, 21M bytes)
     pkts bytes target     prot opt in     out     source               destination
     400K   79M AUTO_PRE   all  --  *      *       0.0.0.0/0            0.0.0.0/0
     400K   79M USR_PRE    all  --  *      *       0.0.0.0/0            0.0.0.0/0
     390K   79M LOAD_BALANCING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    Chain INPUT (policy ACCEPT 50094 packets, 3738K bytes)
     pkts bytes target     prot opt in     out     source               destination
    Chain OUTPUT (policy ACCEPT 54619 packets, 4784K bytes)
     pkts bytes target     prot opt in     out     source               destination
     155K   14M AUTO_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
     155K   14M USR_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    Chain POSTROUTING (policy ACCEPT 55834 packets, 4847K bytes)
     pkts bytes target     prot opt in     out     source               destination
     285K   52M AUTO_POST  all  --  *      *       0.0.0.0/0            0.0.0.0/0
     285K   52M USR_POST   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    Chain AUTO_OUTPUT (1 references)
     pkts bytes target     prot opt in     out     source               destination
    Chain AUTO_POST (1 references)
     pkts bytes target     prot opt in     out     source               destination
    Chain AUTO_PRE (1 references)
     pkts bytes target     prot opt in     out     source               destination
      689 35724 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:4444 ADDRTYPE match dst-type LOCAL
    Chain LOAD_BALANCING (1 references)
     pkts bytes target     prot opt in     out     source               destination
    Chain USR_OUTPUT (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:7443 to:192.168.1.150
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:7446 to:192.168.1.150
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:32400 to:192.168.1.181
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:143 to:192.168.1.150
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:990 to:192.168.1.150
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpts:21:25 to:192.168.1.150
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:64738 to:192.168.1.150
        0     0 DNAT       udp  --  *      *       0.0.0.0/0            [External IP]           udp spts:1:65535 dpt:64738 to:192.168.1.150
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:10823 to:192.168.1.132
        0     0 DNAT       udp  --  *      *       0.0.0.0/0            [External IP]           udp spts:1:65535 dpt:10823 to:192.168.1.132
    Chain USR_POST (1 references)
     pkts bytes target     prot opt in     out     source               destination
    39291   12M MASQUERADE  all  --  *      eth1    192.168.1.0/24       0.0.0.0/0            policy match dir out pol none
        0     0 MASQUERADE  all  --  *      eth1    192.168.3.0/24       0.0.0.0/0            policy match dir out pol none
        0     0 MASQUERADE  all  --  *      eth1    10.242.2.0/24        0.0.0.0/0            policy match dir out pol none
        0     0 MASQUERADE  all  --  *      eth1    192.168.4.0/24       0.0.0.0/0            policy match dir out pol none
    Chain USR_PRE (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:7443 to:192.168.1.150
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:7446 to:192.168.1.150
       25  1540 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:32400 to:192.168.1.181
       32  1872 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:143 to:192.168.1.150
        2   100 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:990 to:192.168.1.150
     1151 57848 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpts:21:25 to:192.168.1.150
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:64738 to:192.168.1.150
        0     0 DNAT       udp  --  *      *       0.0.0.0/0            [External IP]           udp spts:1:65535 dpt:64738 to:192.168.1.150
        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpt:10823 to:192.168.1.132
        0     0 DNAT       udp  --  *      *       0.0.0.0/0            [External IP]           udp spts:1:65535 dpt:10823 to:192.168.1.132

  • In reply to 0xDECAFBAD:

        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            [External IP]           tcp spts:1:65535 dpts:21:25 to:192.168.1.150

    Cheers - Bob

  • In reply to BAlfson:

    Wow I'm an idiot. I was hoping I was just being dumb because this seemed like impossible behavior. Working now. Thanks.