[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PIX fixup protocol with SMTP docs wrong?

To: danielc@compman.co.uk, firewalls@Lists.GNAC.NET
Subject: Re: PIX fixup protocol with SMTP docs wrong?
From: Lisa Napier <lnapier@cisco.com>
Date: Mon, 08 May 2000 12:34:52 -0700

Hi all, 

Apologies for the long delay in response.  It's tough to keep up with all the 
lists.  

The reason the PIX passes XXXX to your mail server is to keep the state 
consistent on both client and server sides of the conversation.  

There is nothing wrong with your configuration with regards to the fixup 
protocol smtp.  

The PIX sends a 500 command not understood back to the client, but must make 
sure the SERVER is also at that same state, so sends a bogus command to the 
server, so both sides are at the same point.  

Looks like our documentation could be cleaned up a bit.  I'll let the 
appropriate people know. 

Thanks much,

Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml

At 01:55 PM 03/30/2000 +0100, Daniel Crichton wrote:
>I've been monitoring SMTP transactions on my mail since putting in my PIX 
>with 4.4(1) 
>and noticed that ESMTP commands are being passed to my mail server as XXXX. 
>Eg. if a 
>mail server opens a connection to my server and uses EHLO host.domain.com it 
>gets 
>passed by the PIX to my server as XXXX host.domain.com, so my server 
>responds with a 
>507 error and the sending server uses HELO host.domain.com which allows the 
>mail to 
>be sent. I'm quite happy with this, but the Cisco docs seem to wrong as they 
>define the 
>fixup protocol 25 command as
>
>The fixup protocol smtp command enables the Mail Guard feature, which only 
>lets 
>mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, 
>RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the 
>"500 command unrecognized" reply code.
>
>
>This suggests that the PIX should be sending the 500 command unrecognized 
>reply 
>itself, and the command should never reach my mail server. Is this just a 
>case of the PIX 
>docs being wrong, or is there something funny with my config?
>
>Dan
>
>---
>D.C. Crichton                 email: danielc@compman.co.uk
>Senior Systems Analyst        tel:   +44 (0)121 706 6000
>Computer Manuals Ltd.         fax:   +44 (0)121 606 0477
>
>Computer book info on the web:
>    http://computer-manuals.co.uk/
>Want to earn money? Join our affiliate scheme!
>    http://computer-manuals.co.uk/affiliate/
>-
>[To unsubscribe, send mail to majordomo@lists.gnac.net with
>"unsubscribe firewalls" in the body of the message.] 

-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

Prev by Date: [iso-8859-1] Søker etter selvstendige distributører!
Next by Date: Incoming in ftp server !
Prev by thread: [iso-8859-1] Søker etter selvstendige distributører!
Next by thread: Incoming in ftp server !
Index(es):
- Date
- Thread