Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jean-Francois_G
Explorer

Iphone emails sent over LTE get bounced by MTA

Hello  im running Checkpoint R81.20 Take 90 in cluster

 

Anyone has ever seen this problem ?  We have multiple external users that send us email with their iphone and gmail account over LTE and when Checkpoint MTA received the email it bounced it and drop it.  Note than if they send email over WI-FI with their Iphone we do not have this problem.  It's only happening over LTE.  Also we tried writing nothing in the email body and writing normal text and in both scenario the email is blocked

 

Here is one log

Time: 2024-11-25T17:11:04Z
Id: 56b37af0-a96f-73c6-c4fd-890fc0a86402
Sequencenum: 199
Source: 127.0.0.1
Destination: xxx.xxx.xxx.2
Destination Port: 25
Sender: externaluser@gmail.com
Recipient: internaluser@domain.ca
Email Subject: Test LtE
Email Message ID: <12E12082-6C34-4825-AA7E-0FD52C3B7134@gmail.com>
Email Queue Name: bounce
Arrival Time: 1970-01-01T00:00:00Z
Scan Started: 2024-11-25T17:11:04Z
Scan Ended: 2024-11-25T17:11:04Z
Email Status: Bounced
Last status update: 1970-01-01T00:00:00Z
Last Failure Reason: Spam email
Original Queue ID: 4Xxsfw07Lpz7t8J
Type: Log
Blade: MTA
Origin: infFire
Product Family: Threat
Logid: 131840
Marker: @A@@B@1732510800@C@5128445
Log Server Origin: xxx.xxx.xxx.3
Origin Log Server IP:xxx.xxx.xxx.3
Index Time: 2024-11-25T17:11:16Z
Lastupdatetime: 1732554676000
Lastupdateseqnum: 199
Severity: Informational
Confidence Level: N/A
Stored: true
Email Queue ID: 4Xxsfw07Lpz7t8J
Description: An email from externaluser@gmail.com was bounced
Email Headers: Received: from mail-qk1-f180.google.com (localhost [127.0.0.1]), by mail.domain.ca (Postfix) with ESMTPS id 4Xxsfw07Lpz7t8J, for <internaluser@domain.ca>; Mon, 25 Nov 2024 12:11:03 -0500 (EST), Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-7b66a740de4so76948885a.3, for <internaluser@domain.ca>; Mon, 25 Nov 2024 09:11:03 -0800 (PST), DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;, d=gmail.com; s=20230601; t=1732554663; x=1733159463; darn=domain.ca;, h=to:message-id:subject:date:mime-version:content-transfer-encoding, :from:from:to:cc:subject:date:message-id:reply-to;, bh=xbG2blgIDpVVqLeI9gG7eOxboqck3gUEy2bGANtuqBg=;, b=FwZ5++3SEWpBhZ1lYt3d9luGfZIZY6ERHiBOuIU73B6tbK8AETMEzufNSPA5Sgr5pX, n1KPtgEVaQ0+M/1vMnD9UhFbaFbBCC5x8jjTSxPdPUPDrDc32sfeo7eLItap79kMPF/D, nl1cO4OqqDXCxUQ+zHRcGzagjhiX69LOug6WHk76yWnp1z9UC/iu1j5/HC4Dfq6hBLX2, r3oLXWebQuJJrRuFfBtOAyRO9Tx7Fht+uqYm3DlbGEt77cNFolSMUbsplsu0XOHaPAWC, jI74v1FnMpV3ZwqUwHY8LZzo+2F5JWpzhkMlF28NgYPV5u1pZJaRwz49x4qya/Ul3IBg, 0tvQ==, X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;, d=1e100.net; s=20230601; t=1732554663; x=1733159463;, h=to:message-id:subject:date:mime-version:content-transfer-encoding, :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;, bh=xbG2blgIDpVVqLeI9gG7eOxboqck3gUEy2bGANtuqBg=;, b=Iv8rad/vwXuoDYQ8IwN5ZLa4m8/S26KFnk1/w59RPfszVn8veAlKaRHWfdXhzAc270, D8qUYmAJyVnTNJRwcIQvjag84svKJ6C5cUEsHlqxZu3eYcm81nNnS+ZOK9LSpZOGIj1j, F/lxpuLpkb1KdcvZv1Ru7S8wIvCrslikTD5Ebzk3T9V+om/3rKSRNozSuuXEK16be5fa, af2xWoLXQQGuQVgY8xSfs83RTTn/qb3+of5M+tXyeAyoalXEL8p8/mE+wdv6tgsMdtF2, QyUsmAMql3rVs2QwU4iG3L8zkv83AlBPzexNeLWlqLtyVWY4NX4uxTIhU4dCD9UWrpER, JpAg==, X-Gm-Message-State: AOJu0YzxbGQmVszBX1maZ3qFTAE3CoWOr5GLlbe1Y3ZMSUJglV1pstRe, DUkO6suvBKRLj91QeKe2YNK8PwHFZSlwneAcX2b9phN7KNrjRSH1F0AUpQ==, X-Gm-Gg: ASbGncs8tfZkyqSYROdELlZro/L3gOzczIN1oBV+ohBIDXh5y2eFJr0lCgJBQpdU81c, zj7VVppqrOxtzM39YADbhbME9+cRaD9JwV4+G7kCQ26nXSv3DKl7KC/oMGJuy7aOogJlgKge7dj, 1r3g+Oibs2LC2AWRMaBHjpmhKo7OXafCayHBDHuhyDX4e8QFjTv4BJdqS3YUKC0KDTMTM8HNaPX, ZSfffd0FJjhjMiOVkolI8WYijf/jPB9nNAR/88YiQxnbiDYuN9YY3bSD6ewAUdtnrAHkV5oE0h3, kOtV, X-Google-Smtp-Source: AGHT+IEpFETQ9d+qKyDNw+r3e6vPcQ0Ju4NWKDyPJaWBeWbWWNKlt+2CmHWbG3hFPkNiFoj0GDgp9w==, X-Received: by 2002:a05:620a:2906:b0:7b6:7257:1359 with SMTP id af79cd13be357-7b6725716b6mr144790885a.13.1732554662648;, Mon, 25 Nov 2024 09:11:02 -0800 (PST), Received: from smtpclient.apple ([2001:56b:9fe3:bb67:4cb7:549a:da46:38fc]), by smtp.gmail.com with ESMTPSA id af79cd13be357-7b514048e51sm370752985a.88.2024.11.25.09.11.01, for <internaluser@domain.ca>, (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);, Mon, 25 Nov 2024 09:11:01 -0800 (PST), From: External User <externaluser@gmail.com>, X-Google-Original-From: External User <externaluser@gmail.com>, Content-Type: text/plain; charset=us-ascii, Content-Transfer-Encoding: 7bit, Mime-Version: 1.0 (1.0), Date: Mon, 25 Nov 2024 12:10:50 -0500, Subject: Test LtE, Message-Id: <12E12082-6C34-4825-AA7E-0FD52C3B7134@gmail.com>, To: =?utf-8?Q?InternalUser= <internaluser@domain.ca>, X-Mailer: iPhone Mail (22A3370)

 

 

Here is the log from MTA

 

[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (NOTICE)] emaild_new_connection(): [fw_conn_id=123, emaild_context_id=3654738582] New connection.
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (NOTICE)] pre(): sender='ExternalUser@gmail.com'
[mtad 13243 3809594176]@infFire[25 Nov 12:11:04] [EMAIL_MTA (WARNING)] async_op_task_dequeue(): queue(92c4014) is empty
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_SPF (NOTICE)] spf_scan_result(): SPF_response_result: pass
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (ERROR)] email_log_direction(): ms_ip_type(c0a864fd) failed. rc=-1
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (ERROR)] email_log_direction(): ms_ip_type(c0a864fd) failed. rc=-1
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (NOTICE)] pre() - :recipient='InternalUser@domain.ca'
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (NOTICE)] pre(): Message-ID=' <12E12082-6C34-4825-AA7E-0FD52C3B7134@gmail.com>'
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (NOTICE)] parseEmlFile() - 4Xxsfw07Lpz7t8J :[emailContextId=4231640330] MIME Parsing result: 0(Success)
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_AP (NOTICE)] handle() - 4Xxsfw07Lpz7t8J :AP policy off
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (WARNING)] email_ctengine_check_async_read_status(): The read operation is complete.
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (ERROR)] email_log_direction(): ms_ip_type(c0a864fd) failed. rc=-1
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_ASPAM (ERROR)] aspam_app_scan_cb() - 4Xxsfw07Lpz7t8J :rejecting mail with reason Spam email
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_ASPAM (NOTICE)] aspam_app_scan_cb() - 4Xxsfw07Lpz7t8J :block mail
[mtad 13243 4023886336]@infFire[25 Nov 12:11:04] [EMAIL_MTA (NOTICE)] emaild_connection_handler(): [emaild_context_id=3654738582] End connection(send error).
[mtad 13243 4023886336]@infFire[25 Nov 12:11:23] [EMAIL_MTA (ERROR)] TEScanListener_LogParamsMapCleaner(): Erasing 4XxrKw189cz7t8J from logParams_map!!!

 

 

Ive open a case with Checkpoint but was wondering if anyone using MTA have this problem 

 

Thanks !

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Looks like it is being rejected as Spam.
What blades are active here?

0 Kudos
emmap
Employee
Employee

I'm not trying to refute your events but it doesn't make sense that the gateway should care that it was sent on LTE vs WiFi - the gateway can't know that, as in both cases it's just getting emails from the gmail servers. Can you compare headers between the bounced one and a good one to see if there's anything that stands out between them? 

0 Kudos
Lesley
Leader Leader
Leader

What do you have configured from the link below? How does the policy look?

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

anti-spam blade is enabled or disabled? Antispam blade should be disabled I think because it has been moved to the MTA feature of the firewall since some time now

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Jean-Francois_G
Explorer

Hello thanks all for trying to help me.  

This is the blade active 

2024-11-26 09_14_15-Gateway Cluster Properties - infFire-Cluster.png

This bug is driving me crazy 

All Gmail email stop bouncing at 15:25:21 EST yesterday ( 2024-11-25).  It's not the first time it's doing this.  Sometimes emails start to bounced and after a while it stop 

This morning we do the same test with Iphone sending emails over LTE and the emails are not bounced 

So this seem to be random 

Bounced email from GMAIL over the last 7 days2024-11-26 09_22_32-192.168.100.3-R81.20-SmartConsole.png

Overview of anti-spam policy

2024-11-26 09_26_06-192.168.100.3 - Check Point SmartDashboard R81.20 - Anti-Spam & Mail.png

 

Email header bounced yesterday:

Received: from mail-io1-f49.google.com (localhost [127.0.0.1])
by mail.domain.ca (Postfix) with ESMTPS id 4Xxv9g75Snz7t8J
for <Jean-Francois@domain.ca>; Mon, 25 Nov 2024 13:19:19 -0500 (EST)
Received: by mail-io1-f49.google.com with SMTP id ca18e2360f4ac-841acc8151aso20018439f.1
for <Jean-Francois@domain.ca>; Mon, 25 Nov 2024 10:19:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1732558759; x=1733163559; darn=domain.ca;
h=to:message-id:subject:date:mime-version:from
:content-transfer-encoding:from:to:cc:subject:date:message-id
:reply-to;
bh=e78r6HmUVOjNerrVh5AJwQcN2uDA6v//ZbXr2U2D0X0=;
b=YBx5z6WI9BAtl8h+k8mb50IqK+Wq3mRNRIHI1Grjm8QeSXTuMk1ckiE8zyyn2NnR4X
eFCcrqoI/8aXnskUX2I7KhCatcXEbtnmbx//byT4HqVyEaQC+mLtj93rgjj2RpLQvlwL
8YkfJe+L+BfCj1tDTF9D3QQ4yI9BESWc6yDPoF/CZtrC2siL/9/N4QzgEryIyLYEsRcG
NaG8odCGtGY70dx+aQ1enoyRb/R3ih/BUOo9uBXJIaopiH8kY3cbGplxRsc3zFbiIKSE
XHNeWZ4IYZcGYb3HIYS+9XuoBTl4J7asmfmHbG1nQ6Ug99/quoBv5K+Oq7Ox+u1hwg5G
mWkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1732558759; x=1733163559;
h=to:message-id:subject:date:mime-version:from
:content-transfer-encoding:x-gm-message-state:from:to:cc:subject
:date:message-id:reply-to;
bh=e78r6HmUVOjNerrVh5AJwQcN2uDA6v//ZbXr2U2D0X0=;
b=agMBTur2flkpPqSR8BUKrev9FB8GlhlGvsu0GL42Mzwgp4n9bIO+ZM/ejcIECci4I/
HmOU7nykx7vL9cK/zfYrw0q6yKy9dSqqOnBIkbRR3YhZu4SrexWqIn4rJ1KBq7A3tSDR
UtQk+io79wFLSZbKpfY+8uDPfQR6h5bN3BcNMlwFp254HFOup5V/aUczCUShsut9BHIX
TjZhfmpH+kgCSJdfZijpKzV+kFBXRq7oi5ltcCKc8fNYb+bIBItXsoMxI3+3O/IO0AAe
NWa4y3rziePPBvmq+wuEg/k4kx6YfcmdT1OWtPUR6W87y9zUo0SA2JUKrr8Yu9jFxFzt
NRAg==
X-Gm-Message-State: AOJu0YyNGOGSAC4ODP3C4ojgvKQiO4dOj/cv2+zuE1mJ7CBLDMl3iMHD
hTVgvn8xpBU2faC330ccU/JgCKJixH2cDAB2N2spF+0YkSYDCQERcq+z
X-Gm-Gg: ASbGnctC/R6kI9Lf7ydO/xLEeSsSUWUg8Cp9gI+OQ+uowSt5U2Ussc7u8iG7LWjx69N
1er3dyhnfkG86WMAiKI+0gnlYzxFI1oDVwYg/ot1oeazZ2Sino8WJkramG9P3RyoR1NK3h2crWu
WXOdbGnuG7Soayetbu+mV75yLu+9BO3Z0putu/Q58Y5M2uF1qX91K17nhWldjwocbfPyxHsjH7q
RbXHsQaqj8Wf0k4zNZe/KBhXZxPUbCrU11qpS4qFs3d/S4pRkOi8PW6IUOA4E7eU7BsJ2BeBm2k
wJv7N6zI2g==
X-Google-Smtp-Source: AGHT+IGl3mEBfu01knqpPWieFfAWF+0GkW5rcfnDj13SbqwprPZu+mQjtYlBQIjpzbRLnyUiu1nibA==
X-Received: by 2002:a05:6602:6406:b0:83b:2c8e:c4 with SMTP id ca18e2360f4ac-83ecdccd02amr1271249739f.9.1732558759051;
Mon, 25 Nov 2024 10:19:19 -0800 (PST)
Received: from smtpclient.apple ([2001:56b:9f18:fe11:b5da:6053:dd9a:adb0])
by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4e209525bd2sm395255173.112.2024.11.25.10.19.18
for <Jean-Francois@domain.ca>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Mon, 25 Nov 2024 10:19:18 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Pat L <externaluser@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 25 Nov 2024 13:19:07 -0500
Subject: Test iOS LTE
Message-Id: <E84CB580-D724-4EAB-92C2-A3A70091BFBF@gmail.com>
To: =?utf-8?Q?Jean-Fran=C3=A7ois_Gu=C3=A9net?= <Jean-Francois@domain.ca>
X-Mailer: iPhone Mail (21G93)

 

Email headear pass this morning from same iphone:

Received: from mail-il1-f173.google.com (localhost [127.0.0.1])
by mail.domain.ca (Postfix) with ESMTPS id 4XyPp74ZDzz7t8J
for <Jean-Francois@domain.ca>; Tue, 26 Nov 2024 09:19:11 -0500 (EST)
Received: by mail-il1-f173.google.com with SMTP id e9e14a558f8ab-3a7a85d9a90so12190395ab.0
for <Jean-Francois@domain.ca>; Tue, 26 Nov 2024 06:19:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1732630750; x=1733235550; darn=domain.ca;
h=to:message-id:subject:date:mime-version:from
:content-transfer-encoding:from:to:cc:subject:date:message-id
:reply-to;
bh=by8e9di15GAyJSrZiWhQzXHkusLviOk0aJJnckIzL2Y=;
b=lD1mpytHMLGDKEP3lru1eZhg/9nKTmK1RruMq2rq00AQl3S0LLLN8qXCq6n4EEcReH
cEEOH18GDwygzWPLgfneSmYzruFZ3lIo9VeSxwurIm5uDliEXNJcpHo9XfNWq2YOV09t
tV/QM9jlDsrY52bG8OxM6p5zYloc6DysDe6xwsnY71R1qNbFhjiwA0DpVJX8amHYptQR
ic/GFVY16sNjjOOiKNguCSXO+g9j/YM7j7gmCk3lzJgTA+vKCUR3c9J4a9BWTmUcWxVh
BKrMqTHt/cHCpKcNDMVmVDeyPmjNWgtNPSvew+lTTLDqWudIBJo06QvmdPS4TW9WVvR5
wPrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1732630750; x=1733235550;
h=to:message-id:subject:date:mime-version:from
:content-transfer-encoding:x-gm-message-state:from:to:cc:subject
:date:message-id:reply-to;
bh=by8e9di15GAyJSrZiWhQzXHkusLviOk0aJJnckIzL2Y=;
b=X7KBjSaLrrmdSLHOVqk3151Ckc2IqnxRO7W01Eay5cjiCuBSKbhEaZUMHT4H4dJcpL
KgaoxqKBH5CcoKTFBU9+0cJ7jFcBOgcsm/3y4H8cRIC+WkPyWDz9lsyvsjJgQ1RfVEvj
9xQ7tCLMLN9xx2PL3noLfPmkuaoOndcu6XOUW2pSuUwUzXvStWnwRkuZt6F3NThjDPLA
jTbCr2ZHliMKYaiHbY02OKhz5brxyrDxkUD54a66kv5qHJHahU8Qbc+f4hK147kz1RVN
BnrMKZtst3OSDXnw9AAscxXRMMCfRFLzIc9seD1QkVB/P+3znO8yd8n4pmLON1/5rELo
exSg==
X-Gm-Message-State: AOJu0Yxn6yTgk9Rc4kLmpmWYJKsagH0zwJ5YzAbscIc5oXaershBFnWB
Xbtbk4N7wpp+mhqAbjzrtzkCB4drm6XKfszJr5rDPzEMbaytjHWYN1XE
X-Gm-Gg: ASbGncuOI0Ov2qqsjIYwQKpy6mUOQhDCgHxk7ncS1rQNkyaLpyBA3KDy1SNpAmVc94L
E7gMTSb1wy0/UvkZQIR6EiXMrNLYdCpMkWlHZsetWn3+vJYour0GzSiLoruUxF0kcUhG/auF0/f
sjMrGaAMG8/96Tw5J3qqXsryJBjpN2Z/T1iO1EfNcJL71gz8qkfhe483Jhdx+kT5UFdEwvrg1xc
RZrU8hJt6fF3QCbltzi0HWXKaBM2Eh2Jzx+8uRJbTKaad1CbEYIv+kkYVfnAea3B8w/hVHIvmhM
U2rxx+Dmwg==
X-Google-Smtp-Source: AGHT+IGw1ZHAAlm8XppCjzzp159e02zz5IjwoohHUIizAxg1qLdUZamcfDboLG05+iVmmFBDkTGBEQ==
X-Received: by 2002:a05:6e02:1ca7:b0:3a7:c2ea:1095 with SMTP id e9e14a558f8ab-3a7c2ea1434mr11351275ab.1.1732630750634;
Tue, 26 Nov 2024 06:19:10 -0800 (PST)
Received: from smtpclient.apple ([2001:56b:9f18:fe11:b5da:6053:dd9a:adb0])
by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-3a79acd3d35sm22016345ab.79.2024.11.26.06.19.09
for <Jean-Francois@domain.ca>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Tue, 26 Nov 2024 06:19:10 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Pat L <externaluser@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 26 Nov 2024 09:18:58 -0500
Subject: Test natif - LTE
Message-Id: <E847BFA7-3860-43CF-AD81-88E0934629E6@gmail.com>
To: =?utf-8?Q?Jean-Fran=C3=A7ois_Gu=C3=A9net?= <Jean-Francois@domain.ca>
X-Mailer: iPhone Mail (21G93)

0 Kudos
PhoneBoy
Admin
Admin

Your best bet is to involve TAC here.

0 Kudos
Jean-Francois_G
Explorer

Yes already did that 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

The Origin / Apple / Gmail (Google) wouldn't be immune to getting their IPs listed for bad reputation, have you checked that they don't appear on various RBLs etc?

CCSM R77/R80/ELITE
0 Kudos
Jean-Francois_G
Explorer

Yes and they always get block by "Content Anti-Spam"

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events