Our network is secured by Cisco PIX Firewall. Our MS-Exchange Server resides on the DMZ of the PIX and MS-W2K domain controllers are in the inside interface of the PIX FIrewall. We have joined the MS-Exchange Server to the internal W2K domain which is inside the PIX.
It is known that if we enable the Mail Guard (fixup protocol smtp 25) on PIX, Exchange Servers & MS-Outlook clients may function unpredictably when their communication passes through PIX.
[This is because MS-Exchange Server do not strictly comply with RFC 821, section 4.5.1. If Mail Guard is enabled PIX restricts MS-Exchange Server to receive only 7 SMTP commands (HELO, MAIL, RCPT, DATA, RSET, NOOP & QUIT), whereas MS-Exchange Server use extended SMTP commands such as EHLO. PIX converts such commands into NOOP commands, forces MS-Exchange server to fall back to using minimal SMTP commands. Thus unpredictable functioning of MS-Exchange Server]
Is there any workaround for this problem, other than disabling the Mail Guard (no fixup protocol smtp 25)? If we disable Mail Guard, how worse it will affect the network security? Please reply.
Awaiting your reply at the earliest & Thanking you in advance.
Are you talking about a Front-End/Back-end configuration? Is the server in your DMZ a front end server? If so, you could slap another NIC card in it, and give it an IP address on your Internal subnet. That will make it pretty easy.
There might be times when it is necessary to disable one of the default fixup protocol commands. For example, if your company develops e-mail software and the PIX is used to separate the test network from the corporate network. In this case, you might want to allow more commands than HELLO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT to travel through the PIX. In this case, using the no form of the fixup protocol command will disable the feature. An example of removing the Mailguard feature is as follows:
no fixup protocol smtp 25
And this is a webcast message from Microsoft, not so long ago..
"With PIX firewalls, when we have a problem communicating inbound or outbound through a PIX firewall, and they have the MailGuard feature enabled, what we see every single time, if we connect using Telnet, is the banner is unique. The banner is clearly a PIX banner, a MailGuard banner. Its distinct. Its a bunch of asterisks and some other stuff there. When you issue the EHLO command, you get nothing back, because they squelch the EHLO command. Is there a way to fix that? The official solution that weve recommended to customers, and this is based on a KB article that Cisco put out and some discussions that we had with Cisco, is to turn off MailGuard. If thats not an acceptable solution, I think that youll have to do a little bit of research between Cisco and our KB articles to try to figure that one out. Thats a tricky one."
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...