Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

fixup protocol smtp

Hi, i am about to open mail communications for a server in my internal network. I read there are problems with default config line "fixup protocol smtp". Should I disable this line? Is there any security problem if so? Thank u very much in advance

2 REPLIES
Cisco Employee

Re: fixup protocol smtp

The SMTP fixup only allows the 7 standard SMTP commands (as defined in RFC 821 (ftp://ftp.rfc-editor.org/in-notes/rfc821.txt, section 4.5.1)) through to your inside mail server. Everything else is intercepted by the PIX and asterisk'd out so that your server will see it and just respond with an error. This keeps your internal mail server secure from a lot of exploits (albeit quite old nowadays) that utilised some of the other SMTP commands.

Now having said that, if your internal mail server is an Exchange server then you need to turn off the fixup because Exchange uses ESMTP (Extended SMTP) and will not work with only the 7 minimum commands.

As for whether this is a security problem, it all depends on your mail server. Turning off the fixup merely moves some of the security from the PIX and onto your mail server. The PIX will still only allow TCP/25 through to it (assuming that's all you've specified in your access-list), so any security issues can only arise if your mail server has some vulnerability in its mail server application. You simply need to make sure you keep it up to date with any patches or the like that become available from your mail server vendor.

New Member

Re: fixup protocol smtp

Thank you very much for the information!!

380
Views
0
Helpful
2
Replies