with fixup protocol smtp 25 - telnet hangs on

[Guest_imported]

I use Pix 506 software version 6.1
Behind the firewall there is Exchange Server 2000.

When I set "no fixup protocol smtp 25" on the firewall, then I can telnet my server on port 25 and say HELO, send mail, everything is OK. If I type XXXX, then I get a message "Unrecognized command", and nothing special happens.

When I set "fixup protocol smtp 25", then I can telnet my server on port 25 but after saying HELO (or anything else) I receive "Unrecognized command" message end telnet hangs.

I know that Pix sends some XXXX command to the client in this case, but why does it hang the telnet session?

I use standard Windows 2000 telnet interface (Telnet Client Build 5.00.99203.1).

 

[rubbaninja]

Sounds like the issue I was having / am having and I thought I had read there to be a bug in fixup protocol smtp 25 (mailguard) for older versions of PIX (not sure if it exists today).

I have to disable it "no fixup protocol smtp 25"

I'm still having problems if I enable it due to a few things that just can't be changed yet.

2 things I noticed:
Exchange uses ESMTP (read the paste from CISCO site below)
No Reverse DNS to my mail server - The person with the authority to set it up blew it off.

From CISCO site:

"static (inside, outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255 0 0"

"access-list acl_out permit tcp any host 209.165.201.12 eq smtp"

Identify access to the 10.1.1.3 mail server through global address 209.165.201.12. The access-list command statement any outside host access to the static via SMTP (port 25). By default, PIX Firewall restricts all access to mail servers to RFC 821 section 4.5.1 commands of DATA, HELO, MAIL, NOOP, QUIT, RCPT, and RSET. This occurs via the Mail Guard service which is set with the following default configuration command:

"fixup protocol smtp 25"

Another aspect of providing access to a mail server is being sure that you have a DNS MX record for the static's global address, which outside users access when sending mail to your site. [italic]don't forget your mailserver should have a reverse dns [/italic]

----
"access-list acl_out permit tcp any host 209.165.201.12 eq 113"
"access-group acl_out in interface outside"

Create access to port 113, the IDENT protocol. If the mail server has to talk to many mail servers on the outside which connect back with the now obsolete and highly criticized IDENT protocol, [bold]use this access-list command statement to speed up mail transmission.[/bold] The access-group command statement binds the access-list command statements to the outside interface

----

Hopefully thats all clear, I tend to cliff not a lot and give information in bits, there are somethings we all have to figure out, each situation is different.

 

[rubbaninja]

Oh, and the reason why you only notice through telnet is because your not really noticing the servers that cannot send to you while fixup is enabled.
Leave it on for a week or so, your users will notice in a big way