[c-nsp] PIX error using fixup smtp

Ryan O'Connell ryan at complicity.co.uk
Fri Nov 12 15:14:06 EST 2004

On 12/11/2004 16:06, Brian Feeny wrote:

> Why what happens?  I can tell you, without exageration, I have read,  
> and understand everything that is out there
> on fixup protocol 25/mailguard.
> Sending a EHLO to the mailserver, thru fixup protocol 25 should not  
> cause an error and the connection to be
> dropped.  It should simply return "502 unimplemented (#5.5.1)".

You might like to consider how the PIX is doing the fixup internally - 
packet lengths, and thus the TCP properties of a packet are never 
changed. Rather, inappropraite content is substituted with something 
else, E.g. in the 220 message when the connection is set up, undesirable 
content is replaced with * characters. Similarly, inappropriate commands 
are replaced with NOOP (Varies by version, but certainly on 5.1ish and 
later) which will generate a "200 OK" response from the mail server.

Because of this, the PIX can *NOT* generate a 502 response itself.

explains what happens in 6.2.

SMTP fixup is fundamentally broken. Do not use it.

         Ryan O'Connell - CCIE #8174
<ryan at complicity.co.uk> - http://www.complicity.co.uk

I'm not losing my mind, no I'm not changing my lines,
I'm just learning new things with the passage of time

More information about the cisco-nsp mailing list