we are recieving this SMTP Data Timeout error on e-mails comming from a specific company. Every other server is working fine, but this is a big company here in brazil and they say that we are to blame about this error.
Here goes a sample of tcpdump of one of the servers:
13:20:25.581184 IP (tos 0x0, ttl 59, id 63466, offset 0, flags [DF], proto TCP (6), length 48)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [S], cksum 0xe0b5 (correct), seq 820856498, win 35840, options [mss 1360,nop,wscale 10], length 0
13:20:25.581269 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [S.], cksum 0x05d8 (incorrect -> 0xf40f), seq 2471613077, ack 820856499, win 62720, options [mss 8960,nop,wscale 7], length 0
13:20:25.583380 IP (tos 0x0, ttl 59, id 63467, offset 0, flags [DF], proto TCP (6), length 40)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [.], cksum 0x3205 (correct), ack 1, win 35, length 0
13:20:25.779184 IP (tos 0x0, ttl 64, id 17738, offset 0, flags [DF], proto TCP (6), length 214)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x067e (incorrect -> 0x4076), seq 1:175, ack 1, win 490, length 174: SMTP, length: 174
220-hostname.XXX.XXX.XXX.XXX ESMTP Exim 4.96.2 #2 Sun, 18 Feb 2024 13:20:25 -0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
13:20:25.780954 IP (tos 0x0, ttl 59, id 63468, offset 0, flags [DF], proto TCP (6), length 40)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [.], cksum 0x3157 (correct), ack 175, win 35, length 0
13:20:25.781006 IP (tos 0x0, ttl 59, id 63469, offset 0, flags [DF], proto TCP (6), length 85)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [P.], cksum 0x6505 (correct), seq 1:46, ack 175, win 35, length 45: SMTP, length: 45
EHLO YYY.YYY.YYY.YYY
13:20:25.781104 IP (tos 0x0, ttl 64, id 17739, offset 0, flags [DF], proto TCP (6), length 211)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x067b (incorrect -> 0xe6c7), seq 175:346, ack 46, win 490, length 171: SMTP, length: 171
250-hostname.XXX.XXX.XXX.XXX Hello hostname.YYY.YYY.YYY [YYY.YYY.YYY.YYY]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPECONNECT
250-STARTTLS
250 HELP
13:20:25.782968 IP (tos 0x0, ttl 59, id 63470, offset 0, flags [DF], proto TCP (6), length 50)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [P.], cksum 0xee14 (correct), seq 46:56, ack 346, win 35, length 10: SMTP, length: 10
**STARTTLS**
13:20:25.783807 IP (tos 0x0, ttl 64, id 17740, offset 0, flags [DF], proto TCP (6), length 58)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x05e2 (incorrect -> 0xc630), seq 346:364, ack 56, win 490, length 18: SMTP, length: 18
**220 TLS go ahead**
13:20:25.786122 IP (tos 0x0, ttl 59, id 63471, offset 0, flags [DF], proto TCP (6), length 423)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [P.], cksum 0x9a18 (correct), seq 56:439, ack 364, win 35, length 383: SMTP, length: 383
13:20:25.786395 IP (tos 0x0, ttl 64, id 17741, offset 0, flags [DF], proto TCP (6), length 4136)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x15d0 (incorrect -> 0x3a95), seq 364:4460, ack 439, win 488, length 4096: SMTP, length: 4096
13:20:25.787327 IP (tos 0x0, ttl 64, id 17745, offset 0, flags [DF], proto TCP (6), length 1029)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x09ad (incorrect -> 0xcd8b), seq 4460:5449, ack 439, win 488, length 989: SMTP, length: 989
13:20:25.788439 IP (tos 0x0, ttl 59, id 63472, offset 0, flags [DF], proto TCP (6), length 40)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [.], cksum 0x1ee5 (correct), ack 4460, win 34, length 0
13:20:25.789810 IP (tos 0x0, ttl 59, id 63473, offset 0, flags [DF], proto TCP (6), length 187)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [P.], cksum 0xaef1 (correct), seq 439:586, ack 5449, win 34, length 147: SMTP, length: 147
13:20:25.789940 IP (tos 0x0, ttl 64, id 17746, offset 0, flags [DF], proto TCP (6), length 241)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x0699 (incorrect -> 0xccac), seq 5449:5650, ack 586, win 487, length 201: SMTP, length: 201
13:20:25.791983 IP (tos 0x0, ttl 59, id 63474, offset 0, flags [DF], proto TCP (6), length 115)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [P.], cksum 0x24e3 (correct), seq 586:661, ack 5650, win 34, length 75: SMTP, length: 75
13:20:25.792094 IP (tos 0x0, ttl 64, id 17747, offset 0, flags [DF], proto TCP (6), length 70)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x05ee (incorrect -> 0x509f), seq 5650:5680, ack 661, win 487, length 30: SMTP, length:30
13:20:25.794032 IP (tos 0x0, ttl 59, id 63475, offset 0, flags [DF], proto TCP (6), length 102)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [P.], cksum 0xa451 (correct), seq 661:723, ack 5680, win 34, length 62: SMTP, length: 62
13:20:25.838242 IP (tos 0x0, ttl 64, id 17748, offset 0, flags [DF], proto TCP (6), length 40)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [.], cksum 0x05d0 (incorrect -> 0x1740), ack 723, win 487, length 0
13:20:28.194364 IP (tos 0x0, ttl 64, id 17749, offset 0, flags [DF], proto TCP (6), length 76)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x05f4 (incorrect -> 0x2a3e), seq 5680:5716, ack 723, win 487, length 36: SMTP, length:36
13:20:28.196249 IP (tos 0x0, ttl 59, id 63476, offset 0, flags [DF], proto TCP (6), length 68)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [P.], cksum 0xce18 (correct), seq 723:751, ack 5716, win 34, length 28: SMTP, length: 28
13:20:28.196268 IP (tos 0x0, ttl 64, id 17750, offset 0, flags [DF], proto TCP (6), length 40)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [.], cksum 0x05d0 (incorrect -> 0x1700), ack 751, win 487, length 0
13:20:28.196318 IP (tos 0x0, ttl 64, id 17751, offset 0, flags [DF], proto TCP (6), length 118)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x061e (incorrect -> 0x19c7), seq 5716:5794, ack 751, win 487, length 78: SMTP, length:78
13:20:28.402249 IP (tos 0x0, ttl 64, id 17752, offset 0, flags [DF], proto TCP (6), length 118)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x061e (incorrect -> 0x19c7), seq 5716:5794, ack 751, win 487, length 78: SMTP, length:78
13:20:28.404148 IP (tos 0x0, ttl 59, id 63478, offset 0, flags [DF], proto TCP (6), length 40)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [.], cksum 0x109f (correct), ack 5794, win 34, length 0
13:25:28.196640 IP (tos 0x0, ttl 64, id 17753, offset 0, flags [DF], proto TCP (6), length 109)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [P.], cksum 0x0615 (incorrect -> 0xe52d), seq 5794:5863, ack 751, win 487, length 69: SMTP, length:69
**421 XXX.XXX.XXX.XXX SMTP incoming data timeout - closing connection.**
13:25:28.197779 IP (tos 0x0, ttl 64, id 17754, offset 0, flags [DF], proto TCP (6), length 40)
10.0.0.114.smtp > YYY.YYY.YYY.YYY.39509: Flags [F.], cksum 0x05d0 (incorrect -> 0x166c), seq 5863, ack 751, win 487, length 0
13:25:28.198568 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 40)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [R], cksum 0x952e (correct), seq 820857249, win 0, length 0
13:25:28.199394 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 40)
YYY.YYY.YYY.YYY.39509 > 10.0.0.114.smtp: Flags [R], cksum 0x952e (correct), seq 820857249, win 0, length 0
My question is: How can i read the data after the TLS connection has been stablished? Because there is something going on after that but i cannot see. Can it be related to the fact that our server is exim and theirs is postfix and somwhow our server is not understanding the end of data command?
We tried to whitelist all their ips but it did not work.
Here is what exim mainlog shows:
2024-02-18 13:26:07 SMTP data timeout (message abandoned) on connection from hostname.YYY.YYY.YYY.YYYY [YYY.YYY.YYY.YYYY]:46223 F=<[email protected]>