Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX515E 6.3 to 7.2 "no fixup protocol smtp 25"

Status
Not open for further replies.
jbrotschul

jbrotschul

Technical User
Jan 5, 2005
43
0
0
US
I recently upgraded a PIX515E from 6.3 to 7.2...

On the 6.3 os there was a line "no fixup protocol smtp 25" that doesn't appear to translate over to 7.2...

I'm going to read up on it, but was hoping someone knew how to translate this command to 7.2 (or if it is even needed anymore).

I had some reports from our sys-admins that they where having some issues with their mail servers since this upgrade.

Feedback appreciated. Thanks.
 
Sort by date Sort by votes
What you are looking for are the inspect commands in 7.2. I believe pasting this into your Pix will fix your email issue.

policy-map global_policy
class inspection_default
no inspect esmtp


Hope this helps.
 
Upvote 0 Downvote
Okay. I check my protocol inspection, and smtp/esmtp is not there, so I believe I have it configured properly. But my admins are stating that some smtp connections from our back-end pmdf email system are getting hung trying to connect to the exchange server. The pmdf email servers are on the DMZ, and the exchange server is internal. Oddly the messages getting hung are spam messages. But this causes a backlog in email processing.

I found this article, and it seems like our symtom. Even though I don't have the smtp/esmtp inspection active.


Cisco PIX obstructs anti-spam protocol
Three bugs in older software versions of Cisco PIX security appliances may jointly cause emails with headers signed using Domainkeys Identified Mail (DKIM, RFC 4871) to be rejected. The software contains a module which monitors SMTP transactions and overwrites potentially malicious commands (smtp protocol fixup). Due to three parser bugs, DKIM headers may be overwritten in the process. Interestingly, Cisco is one of the supporters of DKIM.

The sending server’s mail admin will recognise the effects of the bug as lost connections and messages getting stuck in the queues as a result. Those responsible for PIX on the receiving end will find an increased number of

SMTP: Multiple Content-Type headers!messages, provided that ESMTP debugging is activated.

According to Jim Fenton, who among other things deals with DKIM at Cisco, all three bugs were fixed in versions 7.2(2.19) and 8.0(2.7) of the PIX software. As is customary at Cisco, registered users can download the update to 7.2(2.19). Version 8.0 (2.7) has so far only been available from the "Technical Assistance Center".

Many mail admins recommend disabling "smtp protocol fixup" as a matter of principle, because they regard SMTP header alterations as a potential source of problems. Jim Fenton disagrees: "Since SMTP protocol fixup enables quite a bit of protocol checking besides the Content-Type check that is the subject of these bugs, it's difficult for me to recommend that users disable it other than as a very short-term measure. I would highly recommend that customers obtain updated images and deploy them as soon as practical."
 
Upvote 0 Downvote
It seems like im having the same problem but haven't been able to solve it. Though my case is a little curious, ill explain it . . .

My PIX 515 has 2 interfaces one connected to the Internet and the other to the inside of my network.
My Exchange server is NATed throught the pix to the Internet.

The problem I have noticed besides the queuing of messages is that my internet connection gets saturated by SMTP traffic for 2 days (the pix only allows smpt traffic throuhg it, for the Exchage server), after this period of time everything goes back to normal.

What is really wierd is that this happens somewhere in the first 10 days of every month.
My Exchange administrator and I have checked for schedule activities but there are none in the PIX nor the Exchange server.

I have executed the "no fixup protocol smtp 25" on the pix but the problem still happens every month.

My PIX is running:
Cisco PIX Security Appliance Software Version 7.0(6)
Device Manager Version 5.0(6)

Is anyone suffering something similiar and has been able to solve it?

Any help will be greatly appreciated
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
146
Johnkite
Johnkite
DROFNUD
  • Locked
  • Helpful tip
Smartcenter Dashboard - Searching for "Any" keyword
Replies
0
Views
35
DROFNUD
DROFNUD
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
121
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
49
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top