Solved: PIX 515E and telneting to port 25

markd · ‎03-16-2006

When I telnet (in or out) to a mailserver (using port 25) the response is:

220-*******************

and all commands come back as "Invalid Command"

When I put the old (non-pix) firewall back in, this doesn't happen (the responses are complete and commands work fine.)

A lot of email is coming and going, but some email servers can't send us email.

Is this common for a mis-configuration and where should I look?

Thanks,

Mark

Patrick Iseli · ‎03-16-2006

Remove the fixup protocol smtp 25 !

command to execute:

no fixup protocol smtp

Details about that:

The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are translated into X's which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.

Note During an interactive SMTP session, various SMTP security rules may reject or deadlock your Telnet session. These rules include the following: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply.

As of PIX Firewall software Version 5.1 and higher, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks except for the "2", "0", "0 " characters. Carriage return (CR) and linefeed (LF) characters are ignored.

In PIX Firewall software Version 4.4, all characters in the SMTP banner are converted to asterisks.

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

sincerely

Patrick

View solution in original post

Patrick Iseli · ‎03-16-2006

Remove the fixup protocol smtp 25 !

command to execute:

no fixup protocol smtp

Details about that:

The fixup protocol smtp command enables the Mail Guard feature, which only lets mail servers receive the RFC 821, section 4.5.1, commands of HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. All other commands are translated into X's which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.

Note During an interactive SMTP session, various SMTP security rules may reject or deadlock your Telnet session. These rules include the following: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply.

As of PIX Firewall software Version 5.1 and higher, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks except for the "2", "0", "0 " characters. Carriage return (CR) and linefeed (LF) characters are ignored.

In PIX Firewall software Version 4.4, all characters in the SMTP banner are converted to asterisks.

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

sincerely

Patrick

markd · ‎03-16-2006

Thanks, Patrick.

I'll give that a try. I might not get to test it until early next week because of other issues, but I'll mark this guy fixed if that takes care of it.

Mark

markd · ‎03-24-2006

That did it. Thanks! I was actually experiencing two problems. There is a local school that couldn't get email to us, but it seems that they are getting black listed by several ISPs and are finding it very difficult to get their email delivered. This didn't fix that problem, but we seem to get everyone else, including the spammers!

Mark