Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

static mapping used for e-mail

Status
Not open for further replies.
abovebrd

abovebrd

IS-IT--Management
May 9, 2000
690
0
0
US

I am not really sure what the best approach would be. I just setup an MS exchange server on my internal network. This server also handles internet smtp /pop3 mail for my domain. Currently the MX record points to my current firewall (sonicwall pro) I have a public ln service setup on port 25 (smtp) and port 110 (pop3). This allows packets received on those ports to be forwarded to my internal server.

My question is how would I configure this on a PIX 515
What makes more sense

conduit or fixup

or do I need to use both, or maybe soemthing else

Any advise you can give would be helpful



-Danny






 
Sort by date Sort by votes
You are going to have to use both commands (or at least a conduit). Fixup is used for aid and control of the service (in this case smtp) traversing through the pix. According to Cisco, the pix fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the "500 command unrecognized" reply code.
While it does open the port, it completely opens port 25. Good practice says that you should create a static command mapped from the mx record address (unless you want to change it) to the internal exchange server and then add a conduit for port 25 and 110, thus allowing hosts to only access your exchange server.
Please be warned that I have heard of some issues with some versions of the 5.x software and fixup protocol for smtp. If you experience any problems I would recommend disabling the fixup protocol smtp as the first troubleshooting step.

Hope this helps,
Kevin
 
Upvote 0 Downvote
We have had numerous problems with the fixup command running on a 520 4.4.5 config. Mail Guard looks as though it should be really useful, but in my experience there are just too many badly written MTA's out there for it to work. Best bet is to "no fixup smtp" and to really configure/secure your mail server properly.

Flibble
 
Upvote 0 Downvote
fixup protocol is only used for traffic originating from the internal network to the internet cloud, while statics and conduits are actual pipes allowing access from the internet cloud to your internal network. If your DNS MX record points to an address other than your internal IP, you really don't need a fixup (theoretically), but if the email server is on your internal IP subnet, than why do your internal users have to go through the PIX to access it? If it's on the same segment you should have no problems at all.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

stanlyn
  • Question
Uncoupled Disk Encryption
Replies
0
Views
177
stanlyn
stanlyn
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
150
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
154
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
165
intel233
intel233
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
128
XLNTech1
XLNTech1

Part and Inventory Search

Sponsor

Back
Top