The common mail protocols for mail client to server and server to server communications are Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol version 4 (IMAP4).
Another common method for accessing e-mails is web access to mail, in which you have common mail servers such as Gmail, Yahoo!, and Hotmail. Some examples include Outlook Web Access (OWA) and RPC over HTTPS for the Outlook web client from Microsoft and others.
In this recipe, we will talk about the most common client-server and server-server protocols: POP3 and SMTP. We will also look at some typical problems by using the other methods.
When users are complaining about mail problems, first check if there are any obvious problems such as wrong username, bad password, and authentication protocols that are not configured. If none, connect Wireshark with port mirror to the complaining client; and if there are many of them, configure port mirror to the common server or the communications line connecting to it (when there is a remote server).
POP3 will usually be used for client to server communications, while SMTP will usually be used for server to server communications.
POP3 is usually used for mail client to mail server communications. When a client cannot access the mail server, perform the following checks:
doronn@
(all IDs were deleted) and a password that starts with u6F
.SMTP is commonly used for the following purposes:
When you suspect slow server-to-server communications, follow these steps to resolve the problems.
172.16.30.247
and 172.16.30.2
on port 445
(Microsoft DS), 2319 packets are retransmitted between 172.16.30.180
and 192.5.11.198
on port 80
(HTTP), and so on.code 451
, which is also called the local error in processing
server error. Also, a list of errors is listed.You can also find a list of SMTP status codes in RFC 1893 (http://www.ietf.org/rfc/rfc1893.txt).
In SMTP (like in many other protocols), you can get several error codes in the same message. What you see in the packet list in Wireshark can be the first one, or a partial list of it. To see the full list of errors in the SMTP message, go to the packet details and open the specific packet, as in the following screenshot.
When you see too many codes, it indicates unavailability of the server. check with the server administrator.
Some other common methods that I mentioned earlier are web mail and RPC over HTTP:
Mail clients will mostly use POP3 for communications with the server. In some cases, they will use SMTP as well. IMAP4 is used when server manipulation is required, for example, when you need to see messages that exist on a remote server without downloading them to the client. Server to server communications are usually implemented by SMTP.
In general, SMTP status codes are divided into three categories, which are structured in a way that helps you understand what exactly went wrong. The method and details of SMTP status codes is discussed in the following section.
POP3 is an application layer protocol used by mail clients to retrieve e-mail messages from the server. A typical POP3 session will look like the following screenshot:
1042
, OK 0 0 means no messages and it has total size zero).1048
), the server confirms it (packet 1136
) and the TCP connection is closed (packets 1137
, 1138
, and 1227
).In the case of encrypted connection, it will look nearly the same (see the following screenshot). After the connection establishment (1), there are several POP messages (2), TLS connection establishment (3), and then the encrypted application data.
The structure of SMTP status codes is as follows:
class . subject . detail
For example, when you see status code 450, it means the following:
The following table lists the various classes:
Status code |
Meaning |
Reason |
---|---|---|
|
Success |
Operation succeeded |
|
Persistent transient failure |
A temporary condition has prevented the server from sending the message. It can be due to server load or network bottleneck. Usually, sending the message again will succeed. |
|
Permanent failure |
A permanent problem prevented the server from sending the message. Usually server or compatibility errors. |
The following table lists the various subjects:
Status code |
What is it |
What can be the reason |
---|---|---|
|
Other or undefined status |
- |
|
Addressing status |
- |
|
Mailbox status |
- |
|
Mail system status |
- |
|
Network and routing status |
- |
|
Mail delivery protocol status |
- |
|
Message content or media status |
- |
|
Security or policy status |
- |
The list of status details are too long to be listed here. A full list can be found in the standard pages at http://tools.ietf.org/html/rfc3463.
Some common status codes are listed in the following table:
E-mails are sometimes referred to as one of the "silent killers" of networks, especially in small enterprises that use asymmetric lines to the Internet. When sending text messages, they will not consume anything from the network; but when you send a large file of several megabytes or even tens of megabytes over a narrow-band uplink to the ISP, the rest of the users in your office will suffer from network slowdown for many seconds, even minutes. I've seen this problem in many small offices.
Another issue with mail clients is that in some cases (configurable), mail clients are configured to download all new data from the server when they start to work. If you have a customer that complains of a network slowdown at the time when all employees start their day in the office, it might be due to the tens or hundreds of clients who opened their mail clients simultaneously and the mail server is located over a WAN.
3.17.164.34