[c-nsp] PIX error using fixup smtp

Brian Feeny signal at shreve.net
Wed Nov 10 20:47:05 EST 2004



But it shouldn't happen.  Normal behavior of Mailguard/fixup 25 is:

Brians-G5:~ brianfeeny$ telnet mail.shreve.net 25
Trying 207.254.192.4...
Connected to mercury.shreve.net.
Escape character is '^]'.
220 **02*****************
EHLO shreve.net
502 unimplemented (#5.5.1)
HELO shreve.net
250 mx02.shreve.net

The PIX doesn't allow things like EHLO, so the client uses HELO, and  
life goes on.  And irregardless
of the action taken by the client, this is not a client problem.

In the "broken" scenerio I am talking about the connection is severed,  
and there is a tcp sequencing
error seen on the pix.  This problem is most likely IMHO a bug in the  
PIX or the OS X tcp stack.

We run tens of thousands of email accounts behind fixup 25, we have  
done this with Qmail/sendmail, and
other mail servers with no problem.  All of them on linux (x86).  We  
use 6.3(3) of the PIX os.  The only thing
different here is that now its talking to Mac OS X, and I am just  
trying to get a handle on whether this is a
PIX or Mac OS X problem.

Brian

On Nov 10, 2004, at 7:35 PM, Paul Stewart wrote:

> Yes... Happens to us when running mail servers behind PIX.. We end up
> turning off fixup on SMTP.. Perhaps better answer but that's what we
> always do
>
> Paul
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
> Sent: Wednesday, November 10, 2004 5:32 PM
> To: 'cisco-nsp at puck.nether.net'
> Subject: [c-nsp] PIX error using fixup smtp
>
>
>
>
> I have a PIX running 6.3(3) and it has fixup smtp enabled.
>
> When a remote client tries to send an unsupported command, such as
> EHLO, i am seeing
> the mailserver drop the connection immediatly.  On the pix the
> following is logged:
>
> pixfirewall# smtp_response: (192.168.1.9/25 -> 207.254.193.98/56062)
> smtp_cmd: (192.168.1.9/25 <- 207.254.193.98/56062)
>          smtp_cmd: initial cmd = ehlo , enter reply mode
>          smtp: nullify <ehlo > command
> smtp_response: (192.168.1.9/25 -> 207.254.193.98/56062)
>          entering command mode
> out-of-order segment (192.168.1.9/25 -> 207.254.193.98/56062)
>           received = 68131394, expected = 68131367
> pixfirewall# smtp_response: (192.168.1.9/25 -> 199.181.134.30/53591)
> smtp_cmd: (192.168.1.9/25 <- 199.181.134.30/53591)
>          smtp_cmd: initial cmd = ehlo , enter reply mode
>          smtp: nullify <ehlo > command
> smtp_response: (192.168.1.9/25 -> 199.181.134.30/53591)
>          entering command mode
> out-of-order segment (192.168.1.9/25 -> 199.181.134.30/53591)
>           received = 68136337, expected = 68136310
> smtp_cmd: (192.168.1.9/25 <- 199.181.134.30/53591)
>          smtp_cmd: cmd = helo  entering reply mode
> out-of-order segment (192.168.1.9/25 <- 199.181.134.30/53591)
>           received = 3280724322, expected = 3280724291
>          rollback next sequence 3280724322 by 31 bytes
>          packet: <>
> out-of-order segment (192.168.1.9/25 <- 199.181.134.30/53591)
>           received = 3280724322, expected = 3280724291
>
>
> The Mail server software is 4D WebStar (runs on mac osx).  Does anyone
> know of any issues with the pix code
> that may be happening here?  This is a PIX501.
>
>
> Brian
>
>
>
> ----------------------------------------------------------------------- 
> -
>
> ------
> Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
> Network Engineer           			p: 318.213.4709
> ShreveNet Inc.             			f: 318.221.6612
>
>
---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041110/388ba5a0/PGP.bin


More information about the cisco-nsp mailing list