we are seeing smtp connection time outs. the connection hits first the device that will proxy the connection to the mail srv. the proxy server opens a secondary connection to the configured mail relay when itself receives a new connection. After the initial connection it mirrors all the SMTP commands from the primary connection to the secondary connection to the mail relay. It then receives the mail, processes it and forwards it via the secondary connection. we see errors on the proxy that would indicate that the processing can take more than the connection timeout of the mail relay on the secondary connection. i would have to prove that. where to capture ? thx asked 14 Jan '16, 06:37  proxyguy |
One Answer:
You need to capture both connections, the one between client and proxy, and the other one between proxy and server. If the proxy has only one interface, capture that link. If it has two or more, capture all of them at the same time if the connections use them. You basically need to compare what the two connections are doing. answered 14 Jan '16, 08:01  Jasper ♦♦ |
how would I be able to match the packets arriving at the proxy to the packets leaving it towards our mail server?
there's a NAT in front of the proxy so all packets that arrive at the proxy will always have the same src address.
thx
you can try matching by TCP payloads of the packets - it's time consuming, but it might be the only option.