[c-nsp] PIX error using fixup smtp
Dan Abernathy
dabernathy at claytoncorp.com
Fri Nov 12 11:31:24 EST 2004
>Sending a EHLO to the mailserver, thru fixup protocol 25 should not
>cause an error and the connection to be
>dropped. It should simply return "502 unimplemented (#5.5.1)".
Except that's not what happens, because the EHLO never makes it to the mail server. The PIX with smtp fixup turned on enforces a minimal command set, and it will change EHLO to NOOP before passing the traffic to the mail server. The server responds with "250 OK", which is interpreted by some clients as a confirmation that all is well and SMTP extensions are supported. It will try to use the extended features, which are blocked by the PIX.
Some sending mail systems will fall back to using HELO after receiving "OK" instead of the more detailed EHLO response, but many do not.
--
Dan Abernathy
Network Admin
Clayton Corporation
More information about the cisco-nsp
mailing list