[c-nsp] PIX error using fixup smtp
Brian Feeny
signal at shreve.net
Wed Nov 10 20:47:05 EST 2004
But it shouldn't happen. Normal behavior of Mailguard/fixup 25 is:
Brians-G5:~ brianfeeny$ telnet mail.shreve.net 25
Trying 207.254.192.4...
Connected to mercury.shreve.net.
Escape character is '^]'.
220 **02*****************
EHLO shreve.net
502 unimplemented (#5.5.1)
HELO shreve.net
250 mx02.shreve.net
The PIX doesn't allow things like EHLO, so the client uses HELO, and
life goes on. And irregardless
of the action taken by the client, this is not a client problem.
In the "broken" scenerio I am talking about the connection is severed,
and there is a tcp sequencing
error seen on the pix. This problem is most likely IMHO a bug in the
PIX or the OS X tcp stack.
We run tens of thousands of email accounts behind fixup 25, we have
done this with Qmail/sendmail, and
other mail servers with no problem. All of them on linux (x86). We
use 6.3(3) of the PIX os. The only thing
different here is that now its talking to Mac OS X, and I am just
trying to get a handle on whether this is a
PIX or Mac OS X problem.
Brian
On Nov 10, 2004, at 7:35 PM, Paul Stewart wrote:
> Yes... Happens to us when running mail servers behind PIX.. We end up
> turning off fixup on SMTP.. Perhaps better answer but that's what we
> always do
>
> Paul
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
> Sent: Wednesday, November 10, 2004 5:32 PM
> To: 'cisco-nsp at puck.nether.net'
> Subject: [c-nsp] PIX error using fixup smtp
>
>
>
>
> I have a PIX running 6.3(3) and it has fixup smtp enabled.
>
> When a remote client tries to send an unsupported command, such as
> EHLO, i am seeing
> the mailserver drop the connection immediatly. On the pix the
> following is logged:
>
> pixfirewall# smtp_response: (192.168.1.9/25 -> 207.254.193.98/56062)
> smtp_cmd: (192.168.1.9/25 <- 207.254.193.98/56062)
> smtp_cmd: initial cmd = ehlo , enter reply mode
> smtp: nullify <ehlo > command
> smtp_response: (192.168.1.9/25 -> 207.254.193.98/56062)
> entering command mode
> out-of-order segment (192.168.1.9/25 -> 207.254.193.98/56062)
> received = 68131394, expected = 68131367
> pixfirewall# smtp_response: (192.168.1.9/25 -> 199.181.134.30/53591)
> smtp_cmd: (192.168.1.9/25 <- 199.181.134.30/53591)
> smtp_cmd: initial cmd = ehlo , enter reply mode
> smtp: nullify <ehlo > command
> smtp_response: (192.168.1.9/25 -> 199.181.134.30/53591)
> entering command mode
> out-of-order segment (192.168.1.9/25 -> 199.181.134.30/53591)
> received = 68136337, expected = 68136310
> smtp_cmd: (192.168.1.9/25 <- 199.181.134.30/53591)
> smtp_cmd: cmd = helo entering reply mode
> out-of-order segment (192.168.1.9/25 <- 199.181.134.30/53591)
> received = 3280724322, expected = 3280724291
> rollback next sequence 3280724322 by 31 bytes
> packet: <>
> out-of-order segment (192.168.1.9/25 <- 199.181.134.30/53591)
> received = 3280724322, expected = 3280724291
>
>
> The Mail server software is 4D WebStar (runs on mac osx). Does anyone
> know of any issues with the pix code
> that may be happening here? This is a PIX501.
>
>
> Brian
>
>
>
> -----------------------------------------------------------------------
> -
>
> ------
> Brian Feeny, CCIE #8036, CISSP e: signal at shreve.net
> Network Engineer p: 318.213.4709
> ShreveNet Inc. f: 318.221.6612
>
>
---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041110/388ba5a0/PGP.bin
More information about the cisco-nsp
mailing list