Environment
Novell GroupWise 7
Novell GroupWise Internet Agent (GWIA)
Novell NetWare 6.5
Novell Open Enterprise Server (NetWare based)
Novell Open Enterprise Server (Linux based)
Novell SUSE Linux Enterprise Server 9
Situation
Error: "Detected error
on SMTP command"
GWIA stops routing mails internally and externally.
CheckPoint Firewall throws 'too many resource records
returned' error.
Smart Defense on the CheckPoint Firewall recognizes a syn
attack.
Resolution
The CheckPoint Firewall scans incoming and outgoing traffic
for signs of SPAM or SMTP attacks.
The GWIA will perform a DNS lookup of each domain to whom it
attempts to send a message.
If 'Validate Sender's Identity' is checked on the GWIA, it
will also perform a PTR or Reverse DNS lookup to verify that the
sending domain actually exists.
In some instances, the GWIA DNS query will return a number of
records for the recipient or sending domain and the CheckPoint
Firewall notes this as a SYN attack which is a common denial of
service (DOS) attack meant to deplete resources on a gateway to the
point of failure or at least to the point of
exhaustion.
When the SmartDefense 'DNS Records Resource Enforcement'
algorithm recognizes what it believes to be this type of attack it
will not release the threads and causes a GWIA failure. The
GWIA is unable to send or receive in this instance.
The resolution at this time is to amend the SmartDefense DNS
RRE to 'bypass/log only' mode so that the queries are
allowed.
Additional Information
At this time the problem is under investigation. As of
3.10.08 no bug has been associated with the phenomenon on the
GroupWise Internet Agent gateway.
CheckPoint may or may not have any information regarding this
phenomenon other than how their Smart Defense algorithms decipher
what an attack 'is' versus what one 'is not'. As of the
writing of this TID, there didn't seem to be any way to granularly
remove the GWIA DNS lookups from Smart Defense's listing.