Outbound SMTP emails with attachments time out when the DFW is in the data path
Article ID: 408993
Updated On:
Products
Issue/Introduction
When an SMTP server VM resides on an ESXi host that has an NSX 4.x security-only installation, outbound emails with larger attachments time out. Emails without attachments are delivered successfully.
When the SMTP VM is placed in the DFW exclusion list, emails with and without attachments are delivered without issue. Incoming email traffic is not affected.
Behavior Noticed :
-
With DFW enabled and load balancer removed from the data path, all attachments were delivered successfully.
-
With DFW enabled and load balancer in the data path, emails with larger attachments timed out.
-
With the VM excluded from DFW (no filters), all attachments were delivered successfully regardless of whether the load balancer was in the data path.
Environment
-
VMware NSX
-
VMware vDefend Firewall
Cause
- The issue occurs when the SMTP VM is migrated to a new VCF NSX 4.x environment with an NSX security-only installation.
- The issue is observed when a load balancer is present in the data path acting as a relay to the SMTP server.
The combination of DFW and load balancer in the data path triggers the timeout behavior.
Resolution
-
Exclude the SMTP server VM from the Distributed Firewall (DFW).
-
If a load balancer is in the data path, place the load balancer VM in the DFW exclusion list.
-
If the load balancer in the data path is acting as a relay to the SMTP server, ensure the load balancer VM is included in the DFW exclusion list.
In general, Virtual machines such as load balancers, firewalls, virtual network functions (routing, switching, etc.), and any virtual machines that require promiscuous mode must be in a DFW Exclusion list
Additional Information
This is not a bug.
The timeout issue is only observed when DFW is enabled and a load balancer is configured in the data path, which is an unsupported scenario (as documented in Manage a Firewall Exclusion List ).
Feedback
