McAfee and SMTP Traffic

I’ve been chasing after an issue with a new Exchange deployment not sending any outbound mail. When you telnet to port 25 on any SMTP server it just fails straight away as if there’s a firewall or something in between. I finally got a network trace and the very odd thing was that there was absolutely no network traffic at all. Usually you would see a bunch of TCP SYNs if there was a firewall in the mix.

I noticed that McAfee’s little shield in the tray was bright red which it does when it as something to say. The log had these nice entries (well a lot of them) in it:

6/29/2009    11:39:13 AM    Blocked by port blocking rule     C:\Exchange\Bin\edgetransport.exe    Anti-virus Standard Protection:Prevent mass mailing worms from sending mail    10.100.10.16:25

6/29/2009    11:40:46 AM    Blocked by port blocking rule     C:\Windows\system32\telnet.exe    Anti-virus Standard Protection:Prevent mass mailing worms from sending mail    10.100.10.15:25

You can see Exchange trying to relay mail (the Edge Transport process) and me trying to test it by hand (telnet). Apparently McAfee has kindly inserted itself into the network stack somewhere and is intercepting these connections before they even leave the box.

In order to turn this off, you need to go in ePO and edit the Access Protection policy which applies to your servers. Inside the policy, go to Anti-virus Standard Protection and uncheck both boxes for Prevent mass mailing worms from sending mail:

Don’t forget to do this for both the "Server" and "Workstation" policies (or just the server one).

Leave a Reply

Your email address will not be published. Required fields are marked *