The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail server is trying to open port 110 on client?????

Discussion in 'E-mail Discussions' started by jasgot, May 1, 2009.

  1. jasgot

    jasgot Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    6
    I have a Windows SBS server at a customer location that retrieves the mail for all the internal users via the SBS "POP3 Connector" It simply uses pop3 to fetch mail for all the users and then places the mail into their MS Exchange mailbox.


    We installed a Sonicwall Firewall today and I immediately noticed that the mail server (with WHM/Cpanel installed) is trying to connect or is doing a port scan on the this SBS server.

    Why would the WHM/Cpanel server be trying to connect back to the SBS box that is retrieving mail via pop3?

    Also, the SBS box gets mail every 7.5 minutes, but the WHM/Cpanel box is trying to connect to the SBS box on port 110 every 1 or 2 minutes.

    Thanks, I'm stumped!

    Jason
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    So you're saying that Exim is attempting to connect to the Microsoft Windows Small Business Server to retrieve mail over POP3?
     
  3. jasgot

    jasgot Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    6
    That's exactly what it looks like. The firewall is logging incoming connections on port 110 from the exim server, trying to get to the SBS server.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    You state that it is coming from the Exim server. Is the exim process sending out these connections? You can check on your source server by using netstat.
     
  5. jasgot

    jasgot Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    6
    Netstat provides more data than I can interpret. Is there a specific command?
     
  6. jasgot

    jasgot Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    6
    This is what I am getting every minute or so. The destination ports change all the time. These scans are comming from the cPanel server


    05/12/2009 15:15:14.800 Alert Intrusion Prevention Possible port scan detected 74.54.40.237, 110, WAN, ed.28.364a.static.theplanet.com 99.166.11.189, 32683, WAN TCP scanned port list, 32401, 32686, 32684, 32685, 32682
     
  7. jasgot

    jasgot Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    6
    I got this from a netstat -t 110

    tcp 0 0 ed.28.364a.static.thep:pop3 adsl-99-166-11-189.ds:33099 TIME_WAIT
    tcp 0 0 ed.28.364a.static.thep:pop3 adsl-99-166-11-189.ds:33098 TIME_WAIT
    tcp 0 0 ed.28.364a.static.thep:pop3 adsl-99-166-11-189.ds:33097 TIME_WAIT
    tcp 0 0 ed.28.364a.static.thep:pop3 adsl-99-166-11-189.ds:33096 TIME_WAIT
    tcp 0 0 ed.28.364a.static.thep:pop3 adsl-99-166-11-189.ds:33103 TIME_WAIT
    tcp 0 0 ed.28.364a.static.thep:pop3 adsl-99-166-11-189.ds:33102 TIME_WAIT
    tcp 0 0 ed.28.364a.static.thep:pop3 adsl-99-166-11-189.ds:33101 TIME_WAIT
    tcp 0 0 ed.28.364a.static.thep:pop3 adsl-99-166-11-189.ds:33100 TIME_WAIT
     
    #7 jasgot, May 12, 2009
    Last edited: May 12, 2009
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That netstat output shows connections from random ports on your PC to the POP3 service on the server. You can get all port 110 connections using:

    netstat -autpn | grep :110

    The only explanation I can think of (apart from a bug in the PC firewall software) is if you have configured a webmail client on the server to retrieve POP3 email from an account and used your PC IP address by mistake.
     
  9. jasgot

    jasgot Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    6
    Thanks Chirpy,

    The "PC" is actually a Windows SBS 2003 Server. It is running the POP3 Connector to collect e-mail from the cPanel server and drop the messages into the local Exchange mailboxes.

    Here is the output from your reccommended netstat statement:

    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44259 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44258 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44257 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44256 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44263 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44262 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44261 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44260 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44267 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44266 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44265 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44264 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44255 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44254 TIME_WAIT -
    tcp 0 0 ::ffff:74.54.40.237:110 ::ffff:99.166.11.189:44253 TIME_WAIT -



    If I look at the firewall, these same ports are listed as being hit.

    Also..... I notice that the ports are increasing..one port at a time, and they increase from one set of connections to the next.

    ie; the above list goes from 44253 to 44267 20 minutes ago, they went from 44240 to 44252 and before that it was 44232 to 44239

    I thought pop3 was initiated by the client? Also, the client is connecting at 7.5 minute intervals, the connections from the cPanel server to the client are every minute or so...

    Thanks.

    Jason
     
    #9 jasgot, May 13, 2009
    Last edited: May 13, 2009
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Those incrementing connections simply show the windows server connecting to the web hosting servers POP3 service.
     
Loading...

Share This Page