[c-nsp] PIX error using fixup smtp

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Fri Nov 12 16:14:10 EST 2004


ryan,

my point exactly.

~out

-----Original Message-----
From: Ryan O'Connell [mailto:ryan at complicity.co.uk]
Sent: Friday, November 12, 2004 12:14 PM
To: Brian Feeny
Cc: Hudson Delbert J Contr 61 CS/SCBN; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX error using fixup smtp


On 12/11/2004 16:06, Brian Feeny wrote:

> Why what happens?  I can tell you, without exageration, I have read,  
> and understand everything that is out there
> on fixup protocol 25/mailguard.
>
> Sending a EHLO to the mailserver, thru fixup protocol 25 should not  
> cause an error and the connection to be
> dropped.  It should simply return "502 unimplemented (#5.5.1)".


You might like to consider how the PIX is doing the fixup internally - 
packet lengths, and thus the TCP properties of a packet are never 
changed. Rather, inappropraite content is substituted with something 
else, E.g. in the 220 message when the connection is set up, undesirable 
content is replaced with * characters. Similarly, inappropriate commands 
are replaced with NOOP (Varies by version, but certainly on 5.1ish and 
later) which will generate a "200 OK" response from the mail server.

Because of this, the PIX can *NOT* generate a 502 response itself.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/fixu
p.htm#xtocid7 
explains what happens in 6.2.

SMTP fixup is fundamentally broken. Do not use it.

-- 
         Ryan O'Connell - CCIE #8174
<ryan at complicity.co.uk> - http://www.complicity.co.uk

I'm not losing my mind, no I'm not changing my lines,
I'm just learning new things with the passage of time


More information about the cisco-nsp mailing list