We are having an issue with southwest.com emails not being passed through to our exchange server.   The IP address of 12.130.138.99 is posted in the Intrusion Report log.  I whitelisted the IP address and the sending email address, no luck.  I checked the smtpproxyconversation log and found it is communicating correctly with the external server.  The emails never make it to the Good, Bad, and perhaps Ugly queues.  I am at a loss here.  Not having issues with any other thousands of received emails daily in this manner.  Any directions would be greatly appreciated.

2016-09-19 20:16:08,575 - [ 554373] ************ New connection from: 12.130.138.99
2016-09-19 20:16:08,653 - [ 554373] C --> EHLO omptrans.luv.southwest.com
2016-09-19 20:16:08,653 - [ 554373] S <-- 250-webmail.carlson-construction.net Hello [ Proxied ]
2016-09-19 20:16:08,653 - [ 554373] S <-- 250-SIZE 102645760
2016-09-19 20:16:08,653 - [ 554373] S <-- 250-DSN
2016-09-19 20:16:08,653 - [ 554373] S <-- 250-ENHANCEDSTATUSCODES
2016-09-19 20:16:08,653 - [ 554373] S <-- 250-AUTH NTLM LOGIN
2016-09-19 20:16:08,653 - [ 554373] S <-- 250 OK
2016-09-19 20:16:08,716 - [ 554373] C --> MAIL FROM:<swair.5766@envfrm.rsys2.com> ENVID=5766
2016-09-19 20:16:08,716 - [ 554373] S <-- 250 2.1.0 Sender OK

I guess the better question is, how do I remove this IP from the Dictionary Attack block list?

WireMe,

Your first post does not have the entire log - I don't see any error in the partial log that you posted. Could you please post the entire log.

The "Intrusion Detection" system will NOT block any incoming emails. It's just a way of letting you know if something peculiar is going on. Dictionary attack prevention will block. (Intrusion Detection and Dictionary Attack are two different things).

Check http://www.xeams.com/error-420.htm for more information about Dictionary Attack.

I'd recommend you post the complete log for this incoming email and I'll be able to tell you what is causing the problem.

here is past full example of a one that did not make to the good bad or ugly list.  thank you.

2016-09-19 20:18:48,164 - [ 554393] ************ New connection from: 12.130.138.99
2016-09-19 20:18:48,226 - [ 554393] C --> EHLO omptrans.luv.southwest.com
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-webmail.carlson-construction.net Hello [ Proxied ]
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-SIZE 102645760
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-DSN
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-ENHANCEDSTATUSCODES
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-AUTH NTLM LOGIN
2016-09-19 20:18:48,226 - [ 554393] S <-- 250 OK
2016-09-19 20:18:48,289 - [ 554393] C --> MAIL FROM:<swair.5766@envfrm.rsys2.com> ENVID=5766
2016-09-19 20:18:48,289 - [ 554393] S <-- 250 2.1.0 Sender OK
2016-09-19 20:18:48,663 - [ 554393] C --> RCPT TO:<xxxxx@carlson-construction.net>
2016-09-19 20:18:51,705 - [ 554388] S <-- 250 2.1.5 Recipient OK
2016-09-19 20:18:52,922 - [ 554388] C --> DATA
2016-09-19 20:18:54,841 - [ 554394] ************ New connection from: 89.144.22.133

This log has multiple emails mixed together. Every email conversation in the logs is identified by LCID, which is the number you see in square brackets. I see 3 different numbers there: 554393, 554388 and 554394. Before displaying the log, put 554393 in the search field. That will yield the logs for the email you are looking for.

2016-09-19 20:18:48,164 - [ 554393] ************ New connection from: 12.130.138.99
2016-09-19 20:18:48,226 - [ 554393] C --> EHLO omptrans.luv.southwest.com
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-webmail.carlson-construction.net Hello [ Proxied ]
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-SIZE 102645760
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-DSN
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-ENHANCEDSTATUSCODES
2016-09-19 20:18:48,226 - [ 554393] S <-- 250-AUTH NTLM LOGIN
2016-09-19 20:18:48,226 - [ 554393] S <-- 250 OK
2016-09-19 20:18:48,289 - [ 554393] C --> MAIL FROM:<swair.5766@envfrm.rsys2.com> ENVID=5766
2016-09-19 20:18:48,289 - [ 554393] S <-- 250 2.1.0 Sender OK
2016-09-19 20:18:48,663 - [ 554393] C --> RCPT TO:<rcarlson@carlson-construction.net>
2016-09-19 20:19:29,831 - [ 554393] S <-- 250 2.1.5 Recipient OK
2016-09-19 20:19:29,831 - [ 554393] ~~~~~~~~~~~~ Connection Terminated (41667:999999) Connection reset by peer: socket write error

When you use SMTP Proxy server in Xeams, the acceptance or rejection of any incoming email is delegated to your actual email server, which I assume is Exchange in this case. Look at the following two lines in the log file:

2016-09-19 20:18:48,663 - [ 554393] C --> RCPT TO:<rcarlson@carlson-construction.net>
2016-09-19 20:19:29,831 - [ 554393] S

There is a 41 seconds gap between the RCPT TO (which is sent from Southwest.com's SMTP server) and the response from your Exchange on the next line. The sending SMTP server (SouthWest) is configured with a very short timeout period and does not like waiting 41 seconds to see if the receiving server will accept the message. As a result, it is closes the TCP/IP connection without sending any message.

There are a couple of things you could do:

1. Figure out why is Exchange taking 41 seconds to accept incoming messages. I'd recommend disabling filtering in Exchange so it accepts the message faster.
2. Use the regular SMTP Server in Xeams for both in-bound and out-bound. That will eliminate the problem associated with Exchanges' slow response. In that case Xeams will accept the message from Southwest and will later on deliver it to your Exchange.

Check http://www.xeams.com/DifferenceSmtpAndSmtpProxy.htm for more information about the differences between Proxy and Regular SMTP servers.