OT: Thunderbird and iptables

Matt Kettler mkettler at EVI-INC.COM
Wed Apr 20 20:43:53 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I think your biggest hint should be to notice that the packet has the
RST bit set. I doubt this is part of a connection originated by the
server, but instead part of a connection originated, or trying to
originate from, the remote.

The RST flag generally means that the.remote sent a packet to an
unserved port on your mailserver. The other case could be an abrupt
close of the socket on the server side, such as a process kill. The RST
packet would be generated by your mailserver as a method of warning the
connection isn't valid and doesn't have any state tracking.

If multiple resets were generated due to multiple offending packets,
IPTables may refuse all but the first, as the connection was destroyed
by the first RST (I see this all the time on cisco PIX equipment, a late
arriving duplicate fin or rst packet gets dropped because there's no
matching connection)

However, that port pattern looks more like passive-mode FTP than IMAP..
but who knows, I'm no IMAP expert.

So, I suppose your questions should be:

1) can the client try to connect to port 36798 on the server?
2) If not, does IMAP advertise secondary ports for the client to connect
to (like passive FTP does)?
3) If so, can the remote try to make tcp connections to port 36798 if
advertised by the IMAP server?

Mark Nienberg wrote:

> Forgive the off-topic post, but what a great place this is to get the
> ear of a bunch of e-mail administrators.
>
> My offsite Thunderbird users, chen checking mail using IMAP, generate
> messages like the following from iptables:
>
> Apr 20 10:29:10 gingham kernel: IN= OUT=eth0
> SRC=my.mailserver.ip.address DST=the.remote.ip.address
> LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=50142 DF PROTO=TCP
> SPT=36798 DPT=60933 WINDOW=7040 RES=0x00 ACK RST URGP=0
>
> In spite of this, the Thunderbird clients seem to work just fine.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list