Mail traffic does not pass through a PIX Firewall with ESMTP

Document

Wed, 07/22/2009 - 19:35
Jun 18th, 2009
User Badges:
  • Gold, 750 points or more

Core issue


The PIX Firewall mailguard feature (fixup protocol smtp) does not support Extended Simple Mail Transfer Protocol (ESMTP), and the remote mail server cannot use Simple Mail Transfer Protocol (SMTP).


When the mailguard feature is enabled, it only allows mail servers to receive the seven SMTP minimum-required commands. These are described in Section 4.5.1 of  RFC 2821 ( previously RFC 821 ). All other commands are rejected by the PIX, and rejected commands are never sent to the mail server.

Some mail servers, such as Microsoft Exchange server, do not strictly comply with RFC 821 section 4.5.1. The PIX does not support such server implementations, and converts any such commands into NOOP commands. This conversion forces SMTP servers to fall back to using minimal SMTP commands only, and causes Microsoft Outlook clients and Exchange servers to function unpredictably when their connection passes through PIX.



Resolution


Issue the fixup protocol smtp command to enable the Mailguard feature on the PIX. For PIX Software versions 4.0 and 4.1, issue the mailhost command to configure this feature.


To allow the flow of mail traffic when using such server implementations, turn off the mailguard feature by issuing the no fixup protocol smtp 25 command. Before this workaround is implemented, be aware that the PIX does not track the mail command and response sequence if the mailguard feature is disabled.

For more information, refer to Testing the PIX Firewall Mailguard Feature and Configuring Application Inspection (Fixup).

Loading.

Actions

This Document

Related Content