Error: "Detected error on SMTP command" CheckPoint Firewall

  • 3661163
  • 10-Mar-2008
  • 26-Apr-2012


Novell GroupWise 7
Novell GroupWise Internet Agent (GWIA)
Novell NetWare 6.5
Novell Open Enterprise Server (NetWare based)
Novell Open Enterprise Server (Linux based)
Novell SUSE Linux Enterprise Server 9


Error: "Detected error on SMTP command"
GWIA stops routing mails internally and externally.
CheckPoint Firewall throws 'too many resource records returned' error.
Smart Defense on the CheckPoint Firewall recognizes a syn attack.


The CheckPoint Firewall scans incoming and outgoing traffic for signs of SPAM or SMTP attacks.
The GWIA will perform a DNS lookup of each domain to whom it attempts to send a message.
If 'Validate Sender's Identity' is checked on the GWIA, it will also perform a PTR or Reverse DNS lookup to verify that the sending domain actually exists.
In some instances, the GWIA DNS query will return a number of records for the recipient or sending domain and the CheckPoint Firewall notes this as a SYN attack which is a common denial of service (DOS) attack meant to deplete resources on a gateway to the point of failure or at least to the point of exhaustion.
When the SmartDefense 'DNS Records Resource Enforcement' algorithm recognizes what it believes to be this type of attack it will not release the threads and causes a GWIA failure. The GWIA is unable to send or receive in this instance.
The resolution at this time is to amend the SmartDefense DNS RRE to 'bypass/log only' mode so that the queries are allowed.

Additional Information

At this time the problem is under investigation. As of 3.10.08 no bug has been associated with the phenomenon on the GroupWise Internet Agent gateway.
CheckPoint may or may not have any information regarding this phenomenon other than how their Smart Defense algorithms decipher what an attack 'is' versus what one 'is not'. As of the writing of this TID, there didn't seem to be any way to granularly remove the GWIA DNS lookups from Smart Defense's listing.