CSS reals connecting thru SMTP to inside mail servers?

Unanswered Question
Mar 29th, 2007

All,

In our dev CSS routed mode we have 2 web servers in the DMZ that are trying to connect to our inside mail servers thru SMTP. It initiates a 3way handshake but the message body "helo" never gets to the mail server. After several traces we noticed that the message body never leaves the CSS. Is there anything in the CSS that may prevent the packets from getting to its destination? I can ping and open a connection with SMTP but that's it...Any Ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
joquesada Thu, 03/29/2007 - 19:41

Hi,

On the trace called ?frak.cap? I see incorrect checksums on packets 3, 5 & 6 coming from the IP 10.60.5.53; but it is not clear what might be the problem. Do you have any possibility of taking simultaneous traces on both sides of the CSS while the problem occurs and also, can you send the configuration of the CSS for review. Thanks!

Regards,

Jose Quesada.

Gilles Dufour Thu, 03/29/2007 - 23:14

i see that the response parameter was modified.

Also, the client sends initially only 1 byte 'H' and then 12 bytes and then 77 and then 83 ...why this behavior ?

I assume you have a firewall if you talk about inside and DMZ. I feel like the firewall is the one blocking those strange/incomplete packets and also modifying the parameter data.

Try to sniff between css and firewall.

Gilles.

daifous_04 Wed, 04/04/2007 - 18:55

Hi Jerry

I encountered similar issue, you may want to check out the case below to see if it fits

>>>>QUOTE<<<<

Question/Problem: I have 'Relay for Addresses' set in SMTP Security. I understand that remote users who use IP addresses I do not List must configure their email clients to authenticate (see: IMail - SMTP authentication). However, SMTP AUTH is not working for remote users who have properly configured their email clients.

Answer/Solution: If you have a firewall or router that "inspects" the traffic on port 25, the "inspection" does not allow Extended SMTP commands (such as EHLO and AUTH) to pass properly. If you disable this "inspection" or otherwise confirm that your firewall or router supports the Extended SMTP commands (ESMTP) this will allow properly configured remote users to authenticate.

The following was provided by Cisco:

1) Make sure that you don't have SMTP inspection configured:

ip inspect name ethernetin cuseeme timeout 3600

ip inspect name ethernetin ftp timeout 3600

ip inspect name ethernetin h323 timeout 3600

ip inspect name ethernetin http timeout 3600

ip inspect name ethernetin rcmd timeout 3600

ip inspect name ethernetin realaudio timeout 3600

### The following line should not exist in your router configuration ###

ip inspect name ethernetin smtp timeout 3600

Removing the last line will take care of the problem. Cisco's only warning

was that removing it would allow for attacks using ESMTP.

Question/Problem: Users off our network, with "my server requires

authentication" checked, cannot send mail through our server.

Answer/Solution: Your firewall or proxy may not support the extended SMTP command set that is required for SMTP authentication.

You can enable SMTP authentication on a Cisco PIX firewall with the command:

"no fixup protocol smtp 25"

It will now work correctly.

>>>>UNQUOTE<<<<

Regards,

Hao Dai

Actions

This Discussion