Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MS-Exchange Server in DMZ & SMTP


Our network is secured by Cisco PIX Firewall. Our MS-Exchange Server resides on the DMZ of the PIX and MS-W2K domain controllers are in the inside interface of the PIX FIrewall. We have joined the MS-Exchange Server to the internal W2K domain which is inside the PIX.

It is known that if we enable the Mail Guard (fixup protocol smtp 25) on PIX, Exchange Servers & MS-Outlook clients may function unpredictably when their communication passes through PIX.

[This is because MS-Exchange Server do not strictly comply with RFC 821, section 4.5.1. If Mail Guard is enabled PIX restricts MS-Exchange Server to receive only 7 SMTP commands (HELO, MAIL, RCPT, DATA, RSET, NOOP & QUIT), whereas MS-Exchange Server use extended SMTP commands such as EHLO. PIX converts such commands into NOOP commands, forces MS-Exchange server to fall back to using minimal SMTP commands. Thus unpredictable functioning of MS-Exchange Server]

Is there any workaround for this problem, other than disabling the Mail Guard (no fixup protocol smtp 25)? If we disable Mail Guard, how worse it will affect the network security? Please reply.

Awaiting your reply at the earliest & Thanking you in advance.

Best regards

Anoop K Narayanan

New Member

Re: MS-Exchange Server in DMZ & SMTP

Are you talking about a Front-End/Back-end configuration? Is the server in your DMZ a front end server? If so, you could slap another NIC card in it, and give it an IP address on your Internal subnet. That will make it pretty easy.


Re: MS-Exchange Server in DMZ & SMTP

Hi Anoop,

The following might be worth a read...

There might be times when it is necessary to disable one of the default fixup protocol commands. For example, if your company develops e-mail software and the PIX is used to separate the test network from the corporate network. In this case, you might want to allow more commands than HELLO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT to travel through the PIX. In this case, using the no form of the fixup protocol command will disable the feature. An example of removing the Mailguard feature is as follows:

no fixup protocol smtp 25

And this is a webcast message from Microsoft, not so long ago..

"With PIX firewalls, when we have a problem communicating inbound or outbound through a PIX firewall, and they have the MailGuard feature enabled, what we see every single time, if we connect using Telnet, is the banner is unique. The banner is clearly a PIX banner, a MailGuard banner. It’s distinct. It’s a bunch of asterisks and some other stuff there. When you issue the EHLO command, you get nothing back, because they squelch the EHLO command. Is there a way to fix that? The official solution that we’ve recommended to customers, and this is based on a KB article that Cisco put out and some discussions that we had with Cisco, is to turn off MailGuard. If that’s not an acceptable solution, I think that you’ll have to do a little bit of research between Cisco and our KB articles to try to figure that one out. That’s a tricky one."

Thanks - Jay