Sonic Wall IPS Service Blocking Mail Stream

Issue

Customers with SonicWall Firewalls have been experiencing slow mail delivery times. One cause for this has been narrowed down to a new service available on the SonicWall OS. Mail flow from our routing servers are disrupted every 60 minutes due to a "From Content Overflow" check by the SonicWall IPS service (Intrusion Prevention Service). SonicWall IPS users might find an entry in their log similar to: “IPS Detection Alert: From Content Overflow Attempt, SID: 742, Priority: Medium” from one of AppRiver’s mail servers or SID 3232 - this error relates to vCalendar MIME-Type which was being prevented. It is recommended (in order to receive mail in a timely fashion) that the check for the “From Content Overflow attempt” policy be modified so that it is not prevented by the SonicWall IPS. Please note that if you are using Sendmail 5.79 to 8.12.7, you will be disabling a policy that might need to be enforced to prevent attacks to your mail server.

To modify this policy so that attacks are logged but not prevented, follow these steps:

  1. Login to your SonicWall.
  2. Click Security Services.
  3. Click Intrusion Prevention.
  4. Under the IPS Policies section, enter 742 in the Lookup ID box and then click the Configure button.
  5. Change Prevention to Disable and Detection to Enable.
  6. Click OK.

Update:

It has been reported by Sonic Wall users that, if you disable the IPS intrusion protection rule for 3232 ( a SMTP calendar exploit ) this problem goes away.

 
 
To disable the email filter within your SonicWall, follow these steps:
  1. Login to the firewall.
  2. Navigate to the Security Services tab.
  3. Click Email Filter.
  4. Disable the e-mail filter.
  5. Try to release the delivery queue.

To disable the content filtering from within the Web filter of your SonicWall, follow these steps:
 
 
 


Note:  AppRiver Support was on a phone call with a client and a SonicWall rep. discussing why a particular message was not able to be relayed from our delivery server to their mail server. They went through disabling the usual, email filter and IPS (Intrusion Prevention System).  Both of these did not help.  There was however another setting labeled content filtering, which the SonicWall  stated was for the web.  As soon as this setting was disabled the message relayed successfully.  This setting is under the Security Services Tab just like the Email Filter.  
 
  1. Login to the firewall.
  2. Navigate to the Security Services tab.
  3. Click Content Filtering.
  4. Disable the Content Filter.
  5. Try to release the delivery queue.
 

Add Feedback