Hi, i am about to open mail communications for a server in my internal network. I read there are problems with default config line "fixup protocol smtp". Should I disable this line? Is there any security problem if so? Thank u very much in advance
The SMTP fixup only allows the 7 standard SMTP commands (as defined in RFC 821 (ftp://ftp.rfc-editor.org/in-notes/rfc821.txt, section 4.5.1)) through to your inside mail server. Everything else is intercepted by the PIX and asterisk'd out so that your server will see it and just respond with an error. This keeps your internal mail server secure from a lot of exploits (albeit quite old nowadays) that utilised some of the other SMTP commands.
Now having said that, if your internal mail server is an Exchange server then you need to turn off the fixup because Exchange uses ESMTP (Extended SMTP) and will not work with only the 7 minimum commands.
As for whether this is a security problem, it all depends on your mail server. Turning off the fixup merely moves some of the security from the PIX and onto your mail server. The PIX will still only allow TCP/25 through to it (assuming that's all you've specified in your access-list), so any security issues can only arise if your mail server has some vulnerability in its mail server application. You simply need to make sure you keep it up to date with any patches or the like that become available from your mail server vendor.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...