I have a user that needed pop3 access to our exchange server behind the PIX 515. I allowed access to port 110 and disabled mailguard on the PIX in order to accomplish the task. My question is what are the ramifications of disabling mailguard? How much of a security breach is it? Because he is the only one using a pop3 account I could make the case to have him use OWA.
I don't know why mailguard or (fixup protocol smtp in newer versions) would need to be disabled in order for pop3 access to work? Since pop3 is an entirely different protocol and mailguard or fixup(see below) is only limiting SMTP based commands.
When configured, Mailguard allows only the seven SMTP minimum-required commands as described in Section 4.5.1 of RFC 821 . These seven minimum-required commands are: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. Other commands, such as KILL, WIZ, and so forth, are intercepted by the PIX and they are never sent to the mail server on the inside of your network. The PIX responds with an "OK" to even denied commands, so attackers would not know that their attempts are being thwarted.
NOTE: The PIX Software Mailguard feature sanitizes SMTP traffic. For PIX Software versions 4.0 and 4.1, the mailhost command is used to configure Mailguard. In PIX Software versions 4.2 and later, the command has been changed to fixup protocol smtp 25, and you will also need static and conduit statements for your mail server.
If you run MS exchange (OWA = outlook web access, so you almost assuredly do), you do probably want to disable mailguard if exchange's smtp service is internet facing.
I would in general recommend enforcing OWA use over POP - POP allows them to take all of their mail with them, off of your servers most likely. This can present a bunch of problems - user blows up all their old mail, security ramifications, etc.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :