topic SMTP traffic mis-classified as FTP ? in General Topics

SMTP traffic mis-classified as FTP ?

KGC — Wed, 24 Aug 2011 17:39:26 GMT

The other day we discovered that our SMTP server was unable to send email to the silvacom.com domain.

The problem was traced to our PAN rule which allows only SMTP traffic to eminate from our email server, on the application-default port. All attempts to deliver email to this domain, however, were being seen by the PAN as FTP traffic on TCP port 25 (instead of SMTP) and were denied. (We are on PANOS v3.1.8)

The MX record for this domain references ftpmail.isogis.com (which is also their OWA and FTP server.)

Once I created another rule specifically for this destination IP which allowed our email server to just connect on port 25 using any application, email was delivered and traffic properly classified as SMTP. See screenshot of the traffic before and after this new rule was implemented.

How can this sort of mis-classification happen? Does PAN look at the DNS name of the host and determine it's FTP? It seems rather strange that it would make such a mistake for a fairly basic protocol.

Re: SMTP traffic mis-classified as FTP ?

camkim_MDEA — Wed, 24 Aug 2011 18:02:15 GMT

My guess is that PAN would want you to submit a packet capure of the traffic to see why it would be mis-identified.

You should not need to allow FTP through port 25 to accept any SMTP traffic.

Re: SMTP traffic mis-classified as FTP ?

lens — Tue, 10 Jul 2012 13:29:27 GMT

Hello

I have one customer experiencing the same kind of SMTP mis-classification.

SMTP traffic is classified as RSS in our case (for a specific domain and a specific mail message type)

The recommendation I gave is to allow the port with ANY as application. Not exactly perfect but a valid work around.

Cheers

Fred

Re: SMTP traffic mis-classified as FTP ?

mikand — Wed, 11 Jul 2012 06:41:27 GMT

At least that workaround is not worser than when using most other firewalls 😉