Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Disable MailGuard on PIX 515

I have a user that needed pop3 access to our exchange server behind the PIX 515. I allowed access to port 110 and disabled mailguard on the PIX in order to accomplish the task. My question is what are the ramifications of disabling mailguard? How much of a security breach is it? Because he is the only one using a pop3 account I could make the case to have him use OWA.

Thanks

3 REPLIES
New Member

Re: Disable MailGuard on PIX 515

I don't know why mailguard or (fixup protocol smtp in newer versions) would need to be disabled in order for pop3 access to work? Since pop3 is an entirely different protocol and mailguard or fixup(see below) is only limiting SMTP based commands.

When configured, Mailguard allows only the seven SMTP minimum-required commands as described in Section 4.5.1 of RFC 821 . These seven minimum-required commands are: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. Other commands, such as KILL, WIZ, and so forth, are intercepted by the PIX and they are never sent to the mail server on the inside of your network. The PIX responds with an "OK" to even denied commands, so attackers would not know that their attempts are being thwarted.

NOTE: The PIX Software Mailguard feature sanitizes SMTP traffic. For PIX Software versions 4.0 and 4.1, the mailhost command is used to configure Mailguard. In PIX Software versions 4.2 and later, the command has been changed to fixup protocol smtp 25, and you will also need static and conduit statements for your mail server.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml

New Member

Re: Disable MailGuard on PIX 515

Thanks.

Silver

Re: Disable MailGuard on PIX 515

If you run MS exchange (OWA = outlook web access, so you almost assuredly do), you do probably want to disable mailguard if exchange's smtp service is internet facing.

I would in general recommend enforcing OWA use over POP - POP allows them to take all of their mail with them, off of your servers most likely. This can present a bunch of problems - user blows up all their old mail, security ramifications, etc.

Matt

929
Views
0
Helpful
3
Replies
CreatePlease to create content