[c-nsp] PIX error using fixup smtp
Hudson Delbert J Contr 61 CS/SCBN
Delbert.Hudson at LOSANGELES.AF.MIL
Fri Nov 12 16:14:10 EST 2004
ryan,
my point exactly.
~out
-----Original Message-----
From: Ryan O'Connell [mailto:ryan at complicity.co.uk]
Sent: Friday, November 12, 2004 12:14 PM
To: Brian Feeny
Cc: Hudson Delbert J Contr 61 CS/SCBN; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX error using fixup smtp
On 12/11/2004 16:06, Brian Feeny wrote:
> Why what happens? I can tell you, without exageration, I have read,
> and understand everything that is out there
> on fixup protocol 25/mailguard.
>
> Sending a EHLO to the mailserver, thru fixup protocol 25 should not
> cause an error and the connection to be
> dropped. It should simply return "502 unimplemented (#5.5.1)".
You might like to consider how the PIX is doing the fixup internally -
packet lengths, and thus the TCP properties of a packet are never
changed. Rather, inappropraite content is substituted with something
else, E.g. in the 220 message when the connection is set up, undesirable
content is replaced with * characters. Similarly, inappropriate commands
are replaced with NOOP (Varies by version, but certainly on 5.1ish and
later) which will generate a "200 OK" response from the mail server.
Because of this, the PIX can *NOT* generate a 502 response itself.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/fixu
p.htm#xtocid7
explains what happens in 6.2.
SMTP fixup is fundamentally broken. Do not use it.
--
Ryan O'Connell - CCIE #8174
<ryan at complicity.co.uk> - http://www.complicity.co.uk
I'm not losing my mind, no I'm not changing my lines,
I'm just learning new things with the passage of time
More information about the cisco-nsp
mailing list