02-27-2007 06:24 AM - edited 03-11-2019 02:38 AM
Hello,
How you explain that we you apply in configuration command inspect esmtp with pix version 7(2)1, there is some trouble with mail.
I'm using exchange server.
Thank you a lot.
Solved! Go to Solution.
03-07-2007 06:22 AM
In 7.2.x (including the latest 7.2.2 interim releases) there are bugs related to SMTP/ESMTP inspection. PIX inspection engine drops connections if it finds a registered header name, as "Content-type", inside another header of any kind. This can happen if you use SpamAssassin and configure it to save reports inside e-mail header, or a remarkable case is Gmail which uses control headers containing other header names as keywords.
The problem is that RFCs do not forbid the use of a header name inside another header, but PIX/ASA Os 7.2.x incorrectly detects this behaviour as "malicious" because it sees a duplicate header. So it's the PIX that is wrong, not the messages. I opened a TAC case for this bug about one month ago.
The bug is now recognized as CSCsh33982, a level 2 bug. If you look in the Bug Toolkit you'll find the bug and you'll see that it is fixed in version 7.2(2)12 and 8.x. OS 7.2(2)12 is an interim release, but it is not public. Actually, today I installed it and I have found that the bug is not fully fixed: sometimes Gmail inserts two headers with the same keywords inside a message and the ASA/PIX still drops these messages. A new bug has been recognized: CSCsi01498.
So, at the moment, the only correct suggestion I can give you is to disable SMTP/EMSTP inspection if you use PIX/ASA OS 7.2.x. At least remove it for the traffic originated by or directed to your mail server if you don't want to loose messages.
Another note: serious modern e-mail servers allow you to configure security features for their SMTP service comparable or even better than those provided by PIX inspection. Even MS Exchange can be configured properly.
02-27-2007 06:28 AM
because that is a "known" issue since version
6.x.
02-27-2007 06:46 AM
I believed that this problem was corrected with pix version 7.
02-27-2007 06:49 AM
I am running version 7.2(2) and my exchange
server is win2k3 w/ service pack 1 behind the
firewall and I am having intermittent issue
with mail until I do "no fixup protcol smpt 25"
and the issue goes away.
David
02-27-2007 07:05 AM
I have done the same to correct this problem. But i would like to know why ?? Some smtp doesn't respect RFC ?
02-27-2007 07:38 AM
hi all in the new ios. pix or ur asa can inspect EMSTP traffic to check for RFC compliance. now ur windows smtp or exchange server doesn;t use basic smtp commands it uses extended smtp commands called as ESMTP. for mail to work properly across firewall with rfc valid commands. set the inspect to ESMTP. i am sure this inspection is there by default.
regards
sebastan
02-27-2007 07:40 AM
i've found that:
CSCsg52277
I'm in 7.2(1) Probably corrected in 7.2(2)..
03-05-2007 10:38 AM
"I am running version 7.2(2) and my exchange
server is win2k3 w/ service pack 1 behind the
firewall and I am having intermittent issue
with mail until I do "no fixup protcol smpt 25"
and the issue goes away. "
in 7.2.2,there's no command as fixup".
we have inspect commands in 7.x
please correct.
03-07-2007 06:22 AM
In 7.2.x (including the latest 7.2.2 interim releases) there are bugs related to SMTP/ESMTP inspection. PIX inspection engine drops connections if it finds a registered header name, as "Content-type", inside another header of any kind. This can happen if you use SpamAssassin and configure it to save reports inside e-mail header, or a remarkable case is Gmail which uses control headers containing other header names as keywords.
The problem is that RFCs do not forbid the use of a header name inside another header, but PIX/ASA Os 7.2.x incorrectly detects this behaviour as "malicious" because it sees a duplicate header. So it's the PIX that is wrong, not the messages. I opened a TAC case for this bug about one month ago.
The bug is now recognized as CSCsh33982, a level 2 bug. If you look in the Bug Toolkit you'll find the bug and you'll see that it is fixed in version 7.2(2)12 and 8.x. OS 7.2(2)12 is an interim release, but it is not public. Actually, today I installed it and I have found that the bug is not fully fixed: sometimes Gmail inserts two headers with the same keywords inside a message and the ASA/PIX still drops these messages. A new bug has been recognized: CSCsi01498.
So, at the moment, the only correct suggestion I can give you is to disable SMTP/EMSTP inspection if you use PIX/ASA OS 7.2.x. At least remove it for the traffic originated by or directed to your mail server if you don't want to loose messages.
Another note: serious modern e-mail servers allow you to configure security features for their SMTP service comparable or even better than those provided by PIX inspection. Even MS Exchange can be configured properly.
03-07-2007 06:25 AM
Great answer !
03-07-2007 06:28 AM
hi man u have a great and a detailed understanding of the smtp protocol man not even ccie;s out here know the inner working of things like this. keep it up and keeps us updated on stuff like this.
just curious to know how did u find out this was the problem.
regards
sebastan
03-07-2007 06:41 AM
I discovered the problem at the beginning of january because our e-mail servers could not receive a lot of messages. I understood that it was related to the upgrade of PIX OS from 7.1.x (yes, in 7.1.x ESMTP inspection works, but is less accurate than in 7.2.x) to 7.2.2.
It's not true that I have a deep understanding of SMTP protocol. I debugged PIX behaviour with the help of a Cisco engineer, I analyzed blocked messages, then I studied a lot of RFCs (but I understood only what I needed to understand the problem).
I hope that my message could help you. I hope that the TAC cases I have opened help Cisco fix this 7.2.x OS that I believe is too much buggy.
03-07-2007 06:43 AM
hi buddy thanks a lot for ur reply.
i guess but the 7.2.2 code was just of bug fixes and suggested by cisco as the stable version.
regards
sebastan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: