I work in call center for a very well known MFP company. We have a customer that has a Cisco 506e Pix Firewall with the Mailguard feature enabled (default). When they send an email from our MFP the EHLO command is rejected (only when using SMTP Auth). I have read tons of info on this saying to disable the mailguard with "no fixup protocol smtp 25". The customer is reluctant to do this due to security concerns. Sooo we came across a doc that says to update the PIX OS and thus it will now allow the EHLO command through. Well the question is will they still be able to have the Mailguard enabled with SMTP Auth. If it is disabled is it really that big of a security risk. Thanks in advance.
1. With the "inspect ESMTP" can the customer still run the mailguard feature if they are using SMTP Auth., the customer states that after upgrading they still have to use the no fixup SMTP command which disables mailguard, if the new version allows EHLO and Auth. why does mailguard still need to be disabled?
2. On the previous version when no SMTP Auth. is used the sent EHLO command is rejected but then a RSET is sent than the HELO command is sent and accepted. Why does this behave differently with SMTP Auth where the client does not RSET and send the HELO, it simply sends a QUIT? I attached some screen shots that may help you.
Hi Fernando,I have done more research on this inspect esmpt command. Sounds like it's going to be the fix. Do we disable the fixup smtp then enable the inspect esmtp or does it automatically do it. Is it still called Mailguard? Your advise was very helpful $$ and I thank you again for your time. Andy Amato
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :