Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Possible compatibility problem with Cisco PIX firewall

We have now seen two cases where customers with a Cisco PIX firewall utilizing the SMTP fixup protocol enabled are unable to send to us. The sending server will connect, our server sends the banner, and the remote side sends an smtp 'QUIT'

Our first customer simply disabled the SMTP fixup protocol. However, I can see where others might not be so forgiving. In fact, our second customer is unwilling to do so. I have opened an incident with IP support and asked my customer to do the same on the Cisco side.

Has anyone else seen something similar?

-James

2 REPLIES
New Member

Re: Possible compatibility problem with Cisco PIX firewall

Our Ironports are behind a Cisco PIX firewall.

We've never had any problems receiving or sending with SMTP "fixup" enabled - that we've heard of. HOWEVER - smtp fixup does break ESMTP. This annoyed me as it meant that SMTP-TLS and maximum email size wasn't provided to people connecting to us.

We turned off smtp fixup as I have more faith in the Ironport SMTP implementation than Cisco's antiquated view on SMTP.

Supposedly in later version of the PIX code (like 7.x) ESMTP is supported but these days the Ironports are the only way SMTP leaves our network.

New Member

Re: Possible compatibility problem with Cisco PIX firewall

I have found that the Cisco PIX firewall with "SMTP fixup protocol" breaks TLS. The problem isn't unique to IronPort, it is a bug on the Cisco side. It looks like the "SMTP fixup protocol" allows the sending host to send STARTTLS, but does not allow the TLS session to start. I would suggest setting up a SenderGroup which you don't offer STARTTLS by specifically setting it to no TLS and putting your known Cisco PIX firewall users using the "SMTP fixup protocol". This can also be fixed if the sending host configures their side to not attempt STARTTLS, since the Cisco "SMTP fixup protocol" is going to breaks it everytime.

You can debug this problem futher with an Injection Debug log setup for the send host IP address.

Erich

441
Views
0
Helpful
2
Replies
CreatePlease login to create content