DevHeads.net

AWS timeout

Hello list,

Bit of a weird one here. I have hosts at AWS sending mail across a
Checkpoint VPN to my main private relay server (it basically serves to relay
mail to O365 for in house applications). The problem is that the sending
client never receives BYE from server after QUIT. The mail goes through and
is delivered ok. This is bad because our timeout is 300s and if you have
anything more than a small amount of mail to send, your connections waiting
to timeout build up at the client and cause problems with applications. Mail
from non-AWS sources does not have this problem across other legs of our
Checkpoint VPN.

I have done packet captures at source, destination, and the two Checkpoint
FWs which are the VPN endpoints. I can clearly see what appears to be
filtering occurring on the QUIT, but I am really struggling to determine
where said filtering is coming from. I can recreate issue with a simple
mailx command, originally it was reported from a java mail client (so
multiple clients exhibit same issue).

And before you ask, we have already had AWS support remove the SMTP
throttling for this host. We have also looked at Checkpoint logging and can
find no evidence it is being throttled at those devices.

Source host is Centos 7. Destination host is Centos 6. Both have latest
kernel and patches for everything. Postfix version is
postfix-2.6.6-8.el6.x86_64.

Thanks for any suggestions.

Postfix -n below
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 78643200
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 78643200
mydestination =
$myhostname,localhost.$mydomain,localhost,idcsmtp2.$mydomain,idcsmtp5.$mydomain,relay.$mydomain
mynetworks = 10.0.0.0/8, 198.112.99.0/24, ***.***.***.***/21
mynetworks_style = class
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
notify_classes = bounce, 2bounce, delay, protocol, resource, software
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination, $mydomain, example.com, example.com
relayhost = [example.protection.outlook.com]
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550

source pcap
<a href="https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/ETWH_87w1AhCtSdpgzeoNwYBitZBm4HecmF0WBR2RHKOfA?e=Ln03Cq" title="https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/ETWH_87w1AhCtSdpgzeoNwYBitZBm4HecmF0WBR2RHKOfA?e=Ln03Cq">https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/ETWH_87...</a>

source Checkpoint VPN endpoint pcap
<a href="https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/ET3RjKJ_3xdOuvog3fPe8xQBUUUK8qQ7VdOSsnA6oiK4yw?e=vADRze" title="https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/ET3RjKJ_3xdOuvog3fPe8xQBUUUK8qQ7VdOSsnA6oiK4yw?e=vADRze">https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/ET3RjKJ...</a>

destination Checkpoint VPN endpoint pcap
<a href="https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/EdGaYYr_pzBNiKkji2kb034BvBv3LJ6ooMRjXz-2ddp9NA?e=iDaBr0" title="https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/EdGaYYr_pzBNiKkji2kb034BvBv3LJ6ooMRjXz-2ddp9NA?e=iDaBr0">https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/EdGaYYr...</a>

destination postfix pcap
<a href="https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/EUKXDSXYitxArxc4EeVIELIBVrgufBDnYGIZ3K9BC6GCAQ?e=FnUDNM" title="https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/EUKXDSXYitxArxc4EeVIELIBVrgufBDnYGIZ3K9BC6GCAQ?e=FnUDNM">https://insideidc-my.sharepoint.com/:u:/g/personal/fhare_idc_com/EUKXDSX...</a>