Discussion:
[pfSense] Microsoft Outlook Blocked
Gerald Waugh
2013-03-17 16:13:01 UTC
Permalink
I have searched the archives, and googled it, but have not found a solution
firewall is working great except MS Outlook is being blocked, all other
email clients work OK

filter.log does not give a clue. no blocking shown for the Outlook users IP

Sendmail/Dovecot Server maillog "Disconnected: Inactivity (no auth
attempts):"

pfctl -d from cli allows MS Outlook to work OK
pfctl -e from cli stops Outlook

cleared ports to '*' any
TCP/UDP * * * * * none Internet to servers
--
Gerald
m***@aol.com
2013-03-17 17:00:17 UTC
Permalink
Post by Gerald Waugh
I have searched the archives, and googled it, but have not found a solution
firewall is working great except MS Outlook is being blocked, all
other email clients work OK
filter.log does not give a clue. no blocking shown for the Outlook users IP
Sendmail/Dovecot Server maillog "Disconnected: Inactivity (no auth
attempts):"
pfctl -d from cli allows MS Outlook to work OK
pfctl -e from cli stops Outlook
cleared ports to '*' any
TCP/UDP * * * * * none Internet to servers
--
Gerald
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
I strongly doubt this is a pfSense problem if other clients work fine.
You will need to do a little more troubleshooting here. First thing to
confirm my suspicion would be to take pfSense out of the picture and try
to connect.
Gerald Waugh
2013-03-17 17:06:37 UTC
Permalink
Post by m***@aol.com
Post by Gerald Waugh
I have searched the archives, and googled it, but have not found a solution
firewall is working great except MS Outlook is being blocked, all
other email clients work OK
filter.log does not give a clue. no blocking shown for the Outlook users IP
Sendmail/Dovecot Server maillog "Disconnected: Inactivity (no auth
attempts):"
pfctl -d from cli allows MS Outlook to work OK
pfctl -e from cli stops Outlook
cleared ports to '*' any
TCP/UDP * * * * * none Internet to servers
--
Gerald
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
I strongly doubt this is a pfSense problem if other clients work fine.
You will need to do a little more troubleshooting here. First thing to
confirm my suspicion would be to take pfSense out of the picture and
try to connect.
thanks for the response, with firewall disabled Outlook will work, with
firewall enabled Outlook will *not *work but thunderbird and ipad, and
iphones do work.
Post by m***@aol.com
_______________________________________________ List mailing list
--
Gerald Waugh
Front Street Networks
(318) 734-4779
(318) 401-0428
Jim Thompson
2013-03-17 18:08:01 UTC
Permalink
iPhone, iPad and thunderbird may be configured differently than outlook, especially if exchange is involved (or the problem is really with authentication.)


See: http://support.microsoft.com/kb/176466

-- Jim
Post by Gerald Waugh
I have searched the archives, and googled it, but have not found a solution
firewall is working great except MS Outlook is being blocked, all other email clients work OK
filter.log does not give a clue. no blocking shown for the Outlook users IP
Sendmail/Dovecot Server maillog "Disconnected: Inactivity (no auth attempts):"
pfctl -d from cli allows MS Outlook to work OK
pfctl -e from cli stops Outlook
cleared ports to '*' any
TCP/UDP * * * * * none Internet to servers
--
Gerald
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
I strongly doubt this is a pfSense problem if other clients work fine. You will need to do a little more troubleshooting here. First thing to confirm my suspicion would be to take pfSense out of the picture and try to connect.
thanks for the response, with firewall disabled Outlook will work, with firewall enabled Outlook will not work but thunderbird and ipad, and iphones do work.
--
Gerald Waugh
Front Street Networks
(318) 734-4779
(318) 401-0428
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
Gerald Waugh
2013-03-17 18:38:59 UTC
Permalink
Post by Jim Thompson
iPhone, iPad and thunderbird may be configured differently than
outlook, especially if exchange is involved (or the problem is really
with authentication.)
See: http://support.microsoft.com/kb/176466
thanks for the response, I have ports set for '*' any
I moved this rule to the top of the rules list

TCP/UDP * * * * * none Internet to servers


using pfsense 2.0.1
only packages installed are cron, mailreport and pfblocker

Still blocking Outlook auth attempts with firewall enabled, works OK
with firewall disabled (pfctl -d)
I guess I'l; have to do a reinstall or something similar.
Post by Jim Thompson
On Mar 17, 2013, at 12:06 PM, Gerald Waugh
Post by Gerald Waugh
Post by m***@aol.com
Post by Gerald Waugh
I have searched the archives, and googled it, but have not found a solution
firewall is working great except MS Outlook is being blocked, all
other email clients work OK
filter.log does not give a clue. no blocking shown for the Outlook users IP
Sendmail/Dovecot Server maillog "Disconnected: Inactivity (no auth attempts):"
pfctl -d from cli allows MS Outlook to work OK
pfctl -e from cli stops Outlook
cleared ports to '*' any
TCP/UDP * * * * * none Internet to servers
--
Gerald
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
I strongly doubt this is a pfSense problem if other clients work
fine. You will need to do a little more troubleshooting here. First
thing to confirm my suspicion would be to take pfSense out of the
picture and try to connect.
thanks for the response, with firewall disabled Outlook will work,
with firewall enabled Outlook will *not *work but thunderbird and
ipad, and iphones do work.
Chris Bagnall
2013-03-17 19:14:40 UTC
Permalink
Post by Gerald Waugh
thanks for the response, I have ports set for '*' any
I moved this rule to the top of the rules list
TCP/UDP * * * * * none Internet to servers
Out of curiosity, have you tried protocol = * rather than just TCP/UDP?

Just an outside chance that your mail configuration is verifying the
existence of the target server using ICMP first before connecting - it
would be an unusual requirement to say the least, but there's no harm
giving it a try...

Would also be curious to know if this problem is happening when
connecting to *any* mail server from Outlook, or whether it's connecting
to a specific server.

Kind regards,

Chris
--
This email is made from 100% recycled electrons
Gerald Waugh
2013-03-17 19:57:03 UTC
Permalink
Post by Chris Bagnall
Post by Gerald Waugh
thanks for the response, I have ports set for '*' any
I moved this rule to the top of the rules list
TCP/UDP * * * * * none Internet to servers
Out of curiosity, have you tried protocol = * rather than just TCP/UDP?
Just an outside chance that your mail configuration is verifying the
existence of the target server using ICMP first before connecting - it
would be an unusual requirement to say the least, but there's no harm
giving it a try...
Would also be curious to know if this problem is happening when
connecting to *any* mail server from Outlook, or whether it's
connecting to a specific server.
thanks for the reply, at your suggestion tried '*" any for protocol. no help
I did have a rule to pass icmp
I deleted all rules other than the pass rule for '*' any. Still Outlook
does not work, but thunderbird does work
if I disable rules with 'pfctl -d' Outlook works fine. so makes me think
the email server is OK.

with firewall enabled: maillog reads "dovecot: pop3-login: Disconnected
(no auth attempts): rip lip
doesnt give a user name?
with firewall disabled: maillog reads "dovecot: pop3-login: Login:
user=<user>, method=PLAIN, rip, lip, mpid
Ermal Luçi
2013-03-17 21:47:12 UTC
Permalink
On Sun, Mar 17, 2013 at 8:57 PM, Gerald Waugh <
Post by Gerald Waugh
Post by Chris Bagnall
Post by Gerald Waugh
thanks for the response, I have ports set for '*' any
I moved this rule to the top of the rules list
TCP/UDP * * * * * none Internet to servers
Out of curiosity, have you tried protocol = * rather than just TCP/UDP?
Just an outside chance that your mail configuration is verifying the
existence of the target server using ICMP first before connecting - it
would be an unusual requirement to say the least, but there's no harm
giving it a try...
Would also be curious to know if this problem is happening when
connecting to *any* mail server from Outlook, or whether it's connecting to
a specific server.
thanks for the reply, at your suggestion tried '*" any for protocol. no
help
I did have a rule to pass icmp
I deleted all rules other than the pass rule for '*' any. Still Outlook
does not work, but thunderbird does work
if I disable rules with 'pfctl -d' Outlook works fine. so makes me think
the email server is OK.
with firewall enabled: maillog reads "dovecot: pop3-login: Disconnected
(no auth attempts): rip lip
doesnt give a user name?
user=<user>, method=PLAIN, rip, lip, mpid
Try enabling on the rule to allow ip options.
It might be that the packets are being dropped due to having ip options in
them.

Also enabling loggin g and seeing the reason of the drop would be helpful.
Post by Gerald Waugh
______________________________**_________________
List mailing list
http://lists.pfsense.org/**mailman/listinfo/list<http://lists.pfsense.org/mailman/listinfo/list>
Chris Buechler
2013-03-17 22:36:50 UTC
Permalink
Post by Ermal Luçi
Try enabling on the rule to allow ip options.
It might be that the packets are being dropped due to having ip options in
them.
Outlook shouldn't be using IP options, we'd have had a flood of
problem reports if that were the case with any degree of consistency.

Without having a packet capture it's hard to say. My guess based on
the description is the machine with Outlook has a network
misconfiguration of sorts where its traffic isn't hitting the firewall
in both directions.
Gerald Waugh
2013-03-17 23:02:17 UTC
Permalink
Post by Chris Buechler
Post by Ermal Luçi
Try enabling on the rule to allow ip options.
It might be that the packets are being dropped due to having ip options in
them.
Outlook shouldn't be using IP options, we'd have had a flood of
problem reports if that were the case with any degree of consistency.
Without having a packet capture it's hard to say. My guess based on
the description is the machine with Outlook has a network
misconfiguration of sorts where its traffic isn't hitting the firewall
Thanks for the response.
It is several Outlook IPs that will not work correctly.
the outlook client connects but does not complete and error on server is
"no auth attempts"
error on the client:
/T//ask '***@domain.com - Receiving' reported error (0x8004210A) : 'The
operation timed out waiting for a response from the receiving (POP)
server. If you continue to receive this message, contact your server
administrator or Internet service provider (ISP).'/
Jim Thompson
2013-03-17 23:08:05 UTC
Permalink
Try hitting Testexchangeconnectivity.com (it's a Microsoft service) or running the Test-OutlookConnectivity tasklet and send the report.

But what you have above (below) shows that you're not reaching a POP(3) server at the given IP address. Any chance you're talking to a different DNS server with the firewall on .vs off?

-- Jim
Post by Gerald Waugh
Post by Chris Buechler
Post by Ermal Luçi
Try enabling on the rule to allow ip options.
It might be that the packets are being dropped due to having ip options in
them.
Outlook shouldn't be using IP options, we'd have had a flood of
problem reports if that were the case with any degree of consistency.
Without having a packet capture it's hard to say. My guess based on
the description is the machine with Outlook has a network
misconfiguration of sorts where its traffic isn't hitting the firewall
Thanks for the response.
It is several Outlook IPs that will not work correctly.
the outlook client connects but does not complete and error on server is "no auth attempts"
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
Gerald Waugh
2013-03-17 23:29:59 UTC
Permalink
Post by Jim Thompson
Try hitting Testexchangeconnectivity.com
<http://Testexchangeconnectivity.com> (it's a Microsoft service) or
running the *Test-OutlookConnectivity* tasklet and send the report.
I had no luck here firewall on or off. the server we are using is LAMP -
CentOS sendmail and dovecot
Post by Jim Thompson
But what you have above (below) shows that you're not reaching a
POP(3) server at the given IP address. Any chance you're talking to a
different DNS server with the firewall on .vs off?
firewall does not change the servers and the firewall use the same DNS
servers

server log file shows the Outlook client connecting, but then looks like
the email server can not communicate back to the client.
/dovecot: pop3-login: Disconnected (no auth attempts): rip=outlook
client IP, lip=dovecot IP/

so appears the client connects, but does not receive back from dovecot
when firewall is on
Post by Jim Thompson
On Mar 17, 2013, at 6:02 PM, Gerald Waugh
Post by Gerald Waugh
Post by Chris Buechler
Post by Ermal Luçi
Try enabling on the rule to allow ip options.
It might be that the packets are being dropped due to having ip options in
them.
Outlook shouldn't be using IP options, we'd have had a flood of
problem reports if that were the case with any degree of consistency.
Without having a packet capture it's hard to say. My guess based on
the description is the machine with Outlook has a network
misconfiguration of sorts where its traffic isn't hitting the firewall
Thanks for the response.
It is several Outlook IPs that will not work correctly.
the outlook client connects but does not complete and error on server
is "no auth attempts"
'The operation timed out waiting for a response from the receiving
(POP) server. If you continue to receive this message, contact your
server administrator or Internet service provider (ISP).'/
Dane Reugger
2013-03-17 23:15:58 UTC
Permalink
operation timed out waiting for a response from the receiving (POP) server.
If you continue to receive this message, contact your server administrator
or Internet service provider (ISP).'*
Gerald,

I'm a long time lurker on this list but this intrigues me so ...

What version(s) of Outlook is giving you this error?
Can you test from a different computer and version of outlook?

Do these help?
http://support.microsoft.com/kb/827349
http://support.microsoft.com/kb/813518

-Dane
Gerald Waugh
2013-03-17 23:36:53 UTC
Permalink
reported error (0x8004210A) : 'The operation timed out waiting for
a response from the receiving (POP) server. If you continue to
receive this message, contact your server administrator or
Internet service provider (ISP).'/
I'm a long time lurker on this list but this intrigues me so ...
What version(s) of Outlook is giving you this error?
Can you test from a different computer and version of outlook?
Do these help?
http://support.microsoft.com/kb/827349
http://support.microsoft.com/kb/813518
thanks for the response Dane

not that I can tell, I'll contact the users and see which version of
Outlook they are using

the server is using spamassassin and clamav but it does work OK with the
firewall off.

Gerald
Gerald Waugh
2013-03-17 22:38:18 UTC
Permalink
Post by Ermal Luçi
On Sun, Mar 17, 2013 at 8:57 PM, Gerald Waugh
thanks for the response, I have ports set for '*' any
I moved this rule to the top of the rules list
TCP/UDP * * * * * none Internet
to servers
Out of curiosity, have you tried protocol = * rather than just TCP/UDP?
Just an outside chance that your mail configuration is
verifying the existence of the target server using ICMP first
before connecting - it would be an unusual requirement to say
the least, but there's no harm giving it a try...
Would also be curious to know if this problem is happening
when connecting to *any* mail server from Outlook, or whether
it's connecting to a specific server.
thanks for the reply, at your suggestion tried '*" any for
protocol. no help
I did have a rule to pass icmp
I deleted all rules other than the pass rule for '*' any. Still
Outlook does not work, but thunderbird does work
if I disable rules with 'pfctl -d' Outlook works fine. so makes me
think the email server is OK.
Disconnected (no auth attempts): rip lip
doesnt give a user name?
user=<user>, method=PLAIN, rip, lip, mpid
Try enabling on the rule to allow ip options.
It might be that the packets are being dropped due to having ip
options in them.
where do I set "allow ip options"?
Post by Ermal Luçi
Also enabling loggin g and seeing the reason of the drop would be helpful.
and where do I do this?
Dave Warren
2013-03-17 22:46:32 UTC
Permalink
Post by Gerald Waugh
I have searched the archives, and googled it, but have not found a solution
firewall is working great except MS Outlook is being blocked, all
other email clients work OK
This might be overly simplistic, but what happens if you create a rule
to log traffic to the specific destination IP, are you able to confirm
that Outlook is attempting a connection at all or could this be an issue
on Outlook's side of things?
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Gerald Waugh
2013-03-17 23:07:05 UTC
Permalink
Post by Dave Warren
Post by Gerald Waugh
I have searched the archives, and googled it, but have not found a solution
firewall is working great except MS Outlook is being blocked, all
other email clients work OK
This might be overly simplistic, but what happens if you create a rule
to log traffic to the specific destination IP, are you able to confirm
that Outlook is attempting a connection at all or could this be an
issue on Outlook's side of things?
thanks for the response
will try this later this evening, much traffic now and the majority of
the users are using Outlook.
An initial connection is made, but appears to be no "auth" traffic.
--
Gerald Waugh
Front Street Networks
(318) 734-4779
(318) 401-0428
m***@greybeam.com
2013-03-17 23:43:54 UTC
Permalink
What about NAT? Is the mail server on the same network as the client, and DNS resolving to a public ip perhaps?

Client makes initial contact to public ip, server responds from the local network address (different ip), the client isn't expecting a connection from that address, so there is no TCP connection.

Mark



----- Reply message -----
From: "Gerald Waugh" <***@frontstreetnetworks.com>
To: "pfSense support and discussion" <***@lists.pfsense.org>
Subject: [pfSense] Microsoft Outlook Blocked
Date: Sun, Mar 17, 2013 7:02 pm
On 03/17/2013 05:36 PM, Chris Buechler
wrote:



On Sun, Mar 17, 2013 at 4:47 PM, Ermal Lu&ccedil;i <***@pfsense.org> wrote:



Try enabling on the rule to allow ip options.
It might be that the packets are being dropped due to having ip options in
them.




Outlook shouldn't be using IP options, we'd have had a flood of
problem reports if that were the case with any degree of consistency.

Without having a packet capture it's hard to say. My guess based on
the description is the machine with Outlook has a network
misconfiguration of sorts where its traffic isn't hitting the firewall

Thanks for the response.

It is several Outlook IPs that will not work correctly.

the outlook client connects but does not complete and error on
server is "no auth attempts"

error on the client:

Task '***@domain.com - Receiving' reported error
(0x8004210A) : 'The operation timed out waiting for a response
from the receiving (POP) server. If you continue to receive this
message, contact your server administrator or Internet service
provider (ISP).'
Gerald Waugh
2013-03-18 01:01:26 UTC
Permalink
Post by m***@greybeam.com
What about NAT? Is the mail server on the same network as the client,
and DNS resolving to a public ip perhaps?
Client makes initial contact to public ip, server responds from the
local network address (different ip), the client isn't expecting a
connection from that address, so there is no TCP connection.
Mark
thanks for the response, wan and opt1 are bridged.

remember that all email clients work except for outlook with firewall
enabled
and all email clients work including outlook when firewall is disabled.

I think I will reload the pfSense box. What is the latest pfSense version?
Chris Buechler
2013-03-18 01:33:39 UTC
Permalink
On Sun, Mar 17, 2013 at 8:01 PM, Gerald Waugh
Post by Gerald Waugh
thanks for the response, wan and opt1 are bridged.
remember that all email clients work except for outlook with firewall
enabled
and all email clients work including outlook when firewall is disabled.
I think I will reload the pfSense box.
That won't change anything. In a bridged setup, that sounds like what
happens when the affected clients are pointing to a wrong default
gateway, like an IP of the firewall rather than the upstream router,
where it has to be the latter in a bridged setup.
Bob Gustafson
2013-03-18 10:17:41 UTC
Permalink
Have you done any packet captures - compare your working email clients
with what Microsoft is trying to do with outlook?
Post by Gerald Waugh
Post by m***@greybeam.com
What about NAT? Is the mail server on the same network as the
client, and DNS resolving to a public ip perhaps?
Client makes initial contact to public ip, server responds from the
local network address (different ip), the client isn't expecting a
connection from that address, so there is no TCP connection.
Mark
thanks for the response, wan and opt1 are bridged.
remember that all email clients work except for outlook with firewall
enabled
and all email clients work including outlook when firewall is
disabled.
I think I will reload the pfSense box. What is the latest pfSense version?
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
Gerald Waugh
2013-03-18 15:14:10 UTC
Permalink
Post by Bob Gustafson
Have you done any packet captures - compare your working email clients
with what Microsoft is trying to do with outlook?
Thanks for the suggestion, but we reloaded the box and all is working OK.
No idea as to what caused the issue.

Thanks to all for your responses.
l***@go2france.com
2013-03-18 15:25:53 UTC
Permalink
Post by Gerald Waugh
Post by Bob Gustafson
Have you done any packet captures - compare your working email clients
with what Microsoft is trying to do with outlook?
Thanks for the suggestion, but we reloaded the box and all is working
OK.
No idea as to what caused the issue.
Thanks to all for your responses.
if it comes back, get on one of the OL boxes and telnet to desired
server's IP:110 or 143 or 993 or 995.

Len
Post by Gerald Waugh
_______________________________________________
List mailing list
http://lists.pfsense.org/mailman/listinfo/list
Loading...