Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
3
Helpful
5
Replies

Cisco PIX SMTP Issues

andyamato
Level 1
Level 1

‎12-07-2006 04:27 PM - edited ‎03-11-2019 02:05 AM

I work in call center for a very well known MFP company. We have a customer that has a Cisco 506e Pix Firewall with the Mailguard feature enabled (default). When they send an email from our MFP the EHLO command is rejected (only when using SMTP Auth). I have read tons of info on this saying to disable the mailguard with "no fixup protocol smtp 25". The customer is reluctant to do this due to security concerns. Sooo we came across a doc that says to update the PIX OS and thus it will now allow the EHLO command through. Well the question is will they still be able to have the Mailguard enabled with SMTP Auth. If it is disabled is it really that big of a security risk. Thanks in advance.

Labels:
0 Helpful
5 Replies 5

Fernando_Meza
Level 7
Level 7

‎12-07-2006 04:46 PM

Hi .. indeed if you update to code 7.X the you can use isnpect esmtp which provides the same functionality of fixup smtp but also adds support fro more commands such as: AUTH, EHLO,

ETRN, HELP, SAML, SEND, SOML and VRFY

I hope it helps .. please rate it if it does !!

andyamato
Level 1
Level 1
In response to Fernando_Meza

‎12-08-2006 11:27 AM

Hi Fernando, Ok so the customer upgrades to 7.x.

1. With the "inspect ESMTP" can the customer still run the mailguard feature if they are using SMTP Auth., the customer states that after upgrading they still have to use the no fixup SMTP command which disables mailguard, if the new version allows EHLO and Auth. why does mailguard still need to be disabled?

2. On the previous version when no SMTP Auth. is used the sent EHLO command is rejected but then a RSET is sent than the HELO command is sent and accepted. Why does this behave differently with SMTP Auth where the client does not RSET and send the HELO, it simply sends a QUIT? I attached some screen shots that may help you.

Thanks again, Andy

0 Helpful

andyamato
Level 1
Level 1
In response to Fernando_Meza

‎12-08-2006 04:49 PM

Hi Fernando,I have done more research on this inspect esmpt command. Sounds like it's going to be the fix. Do we disable the fixup smtp then enable the inspect esmtp or does it automatically do it. Is it still called Mailguard? Your advise was very helpful $$ and I thank you again for your time. Andy Amato

0 Helpful

Solace
Level 1
Level 1
In response to andyamato

‎12-08-2006 11:05 PM

Just upgrade, it will be done automatically.

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to andyamato

‎12-10-2006 05:47 PM

Hi you don't need to disable just upgrade to code 7.0 and make sure the inspection global policy is enabled. There is not fixups anymore on code 7.X they have been superseeded by inspect as below.

NOTE: Mail guard is another way of referring to the fixup smtp feature in code 6.X and inspect esmtp ion code 7.0 which provides protection for SMTP (mail)

class-map global-class

match default-inspection-traffic

!

!

policy-map global-policy

class global-class

inspect sqlnet

inspect h323 ras

inspect xdmcp

inspect tftp

inspect icmp error

inspect rtsp

inspect sunrpc

inspect mgcp

inspect esmtp

inspect netbios

inspect sip

inspect pptp

inspect ctiqbe

inspect snmp

inspect http

inspect icmp

inspect rsh

inspect ftp

inspect ils

inspect h323 h225

inspect dns

inspect skinny

!

service-policy global-policy global

I hope it helps ...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card