North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMTP no-such-user issues

  • From: Steve Bertrand
  • Date: Tue Jun 17 11:49:07 2008
Nathan Ward wrote:

On 18/06/2008, at 1:20 AM, Steve Bertrand wrote:

Steve Bertrand wrote:
Frank Bulk - iNAME wrote:
Once you've performed a full capture on port 25, Wireshark does a nice job
of providing an option to extract the relevant conversation by
right-clicking on just one packet in that conversation and choosing
something called "Follow the TCP stream", I believe.
Ok. I've never captured in tcpdump and then imported into Wireshark before, but I'll do some tests, scp the file to my Windows workstation, then follow the stream.
Once I ensure I get a clean stream, I'll post the results.

As I research the documentation on the how-to specifics on capturing with tcpdump in a format that is Wireshark compatible, is there anyone here that could perform a simple test against their own domain email system, that can confirm or deny what I have been witnessing?


Wireshark reads pcap files. Spit them out with this option on the tcpdump commandline.

I'm capturing this now.

In the meantime, I had assistance off-list from someone within an external domain, and we confirmed that the problem is NOT solely Hotmail, yet it is not solely my end (at least I'm not completely convinced).

I feel quite a bit more relaxed now, although the problem is not resolved.

Hotmail encompassed domains are the only site that we have noticed this problem with, however, now I'm certain that there could be more. Most are confirmed to work properly, most notably GMail.

It is also not solely related to the Barracuda. Another SMTP server is experiencing the same issue within the same network, which is not located behind the 'cuda cluster. The only common ground is that both environments operate under Qmail. The 'cuda setup with no filtering, and the non-cuda setup with SA, ClamAV being called by Simscan.

We're back to square one, but now I know to point squarely at my configuration to find out why this is happening.

My sincerest regards for all of the on and off-list help that I have received in regards to this issue. I have learned a tremendous amount along the way.

Thank you to everyone who has provided the patience and willingness to help, and those that are continuing to do so.

If it does turn out to be an implementation issue with any of the software chain we have operating here, we will attempt with our best efforts to document it, and provide patches to the original source.

Steve