A remote mail server connects to our mail server and sends a TCP SYN. Our mail server replies with SYN-ACK, but this is immediately responded to by the foreign server with an ICMP packet that Wireshark shows as "ICMP Destination unreachable (host administratively prohibited)".
Why would the remote server respond to our SYN-ACK with an ICMP? Is this some kind of optimization they have done because of their volume of traffic? I don't understand how TCP would work at all if they don't allow a SYN-ACK.
In terms of what I need to allow to pass through our firewall, what kind of ICMP packet is the above, and is there a way to allow incoming ICMP of just this one type using an older Checkpoint?