[c-nsp] PIX error using fixup smtp

Mike Sawicki fifi at HAX.ORG
Wed Nov 10 20:56:05 EST 2004


On Wed, Nov 10, 2004 at 07:47:05PM -0600, Brian Feeny wrote:
> 
> 
> But it shouldn't happen.  Normal behavior of Mailguard/fixup 25 is:
> 
> Brians-G5:~ brianfeeny$ telnet mail.shreve.net 25
> Trying 207.254.192.4...
> Connected to mercury.shreve.net.
> Escape character is '^]'.
> 220 **02*****************
> EHLO shreve.net
> 502 unimplemented (#5.5.1)
> HELO shreve.net
> 250 mx02.shreve.net
> 
> The PIX doesn't allow things like EHLO, so the client uses HELO, and  
> life goes on.  And irregardless
> of the action taken by the client, this is not a client problem.
> 
> In the "broken" scenerio I am talking about the connection is severed,  
> and there is a tcp sequencing
> error seen on the pix.  This problem is most likely IMHO a bug in the  
> PIX or the OS X tcp stack.
> 
> We run tens of thousands of email accounts behind fixup 25, we have  
> done this with Qmail/sendmail, and
> other mail servers with no problem.  All of them on linux (x86).  We  
> use 6.3(3) of the PIX os.  The only thing
> different here is that now its talking to Mac OS X, and I am just  
> trying to get a handle on whether this is a
> PIX or Mac OS X problem.
> 
> Brian
> 
> On Nov 10, 2004, at 7:35 PM, Paul Stewart wrote:
> 
> >Yes... Happens to us when running mail servers behind PIX.. We end up
> >turning off fixup on SMTP.. Perhaps better answer but that's what we
> >always do
> >
> >Paul
> >
> >
> >-----Original Message-----
> >From: cisco-nsp-bounces at puck.nether.net
> >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
> >Sent: Wednesday, November 10, 2004 5:32 PM
> >To: 'cisco-nsp at puck.nether.net'
> >Subject: [c-nsp] PIX error using fixup smtp
> >
> >
> >
> >
> >I have a PIX running 6.3(3) and it has fixup smtp enabled.
> >
> >When a remote client tries to send an unsupported command, such as
> >EHLO, i am seeing
> >the mailserver drop the connection immediatly.  On the pix the
> >following is logged:
> >
> >pixfirewall# smtp_response: (192.168.1.9/25 -> 207.254.193.98/56062)
> >smtp_cmd: (192.168.1.9/25 <- 207.254.193.98/56062)
> >         smtp_cmd: initial cmd = ehlo , enter reply mode
> >         smtp: nullify <ehlo > command
> >smtp_response: (192.168.1.9/25 -> 207.254.193.98/56062)
> >         entering command mode
> >out-of-order segment (192.168.1.9/25 -> 207.254.193.98/56062)
> >          received = 68131394, expected = 68131367
> >pixfirewall# smtp_response: (192.168.1.9/25 -> 199.181.134.30/53591)
> >smtp_cmd: (192.168.1.9/25 <- 199.181.134.30/53591)
> >         smtp_cmd: initial cmd = ehlo , enter reply mode
> >         smtp: nullify <ehlo > command
> >smtp_response: (192.168.1.9/25 -> 199.181.134.30/53591)
> >         entering command mode
> >out-of-order segment (192.168.1.9/25 -> 199.181.134.30/53591)
> >          received = 68136337, expected = 68136310
> >smtp_cmd: (192.168.1.9/25 <- 199.181.134.30/53591)
> >         smtp_cmd: cmd = helo  entering reply mode
> >out-of-order segment (192.168.1.9/25 <- 199.181.134.30/53591)
> >          received = 3280724322, expected = 3280724291
> >         rollback next sequence 3280724322 by 31 bytes
> >         packet: <>
> >out-of-order segment (192.168.1.9/25 <- 199.181.134.30/53591)
> >          received = 3280724322, expected = 3280724291
> >
> >
> >The Mail server software is 4D WebStar (runs on mac osx).  Does anyone
> >know of any issues with the pix code
> >that may be happening here?  This is a PIX501.
> >
> >

OK, make that one.  :)

Sorry for the quick snappy response, but I was rather excited about
this feature when we first deployed our PIX's last year (also with
6.3(3).  It wound up turning into a very frustrating day once we
discovered that it seemed to introduce a portability problem.  We
run a very standard Sendmail-on-Linux setup and about 1/2 of our
mail was bouncing that day.

For what it's worth, I'm just not sure how necessary the smtp fixup
is when properly configured mail servers are running.

Glad to hear this works for you guys.
-- 
Mike Sawicki (fifi at HAX.ORG)


More information about the cisco-nsp mailing list