[c-nsp] PIX error using fixup smtp

Brian Feeny signal at shreve.net
Fri Nov 12 16:39:46 EST 2004 

If you send EHLO test.com to a server protected by fixup smtp, it will  
convert this to "XXXX test.com".

This is not speculation, this is known by actually dumping the packet  
conversation and examing it.

A mail server will, and should, per RFC821, respond with 502 (5.5.1) or  
the likes, when it encounters such as command.

If it responded with 250, then yes it would be broke in that respect.

also realize, my message was simply pointing out a problem I was  
seeing, a low level problem, in fixup smtp.

There is a large mis/dis information campaign out there on "fixup  
protocol" and that in itself bothers me.  It would seem
that alot of people out there confuse the terms SMTP and ESMTP, and  
somehow got in there head that fixup smtp had
anything to do with ESMTP.

If you really think smtp fixup sends NOOP instead of EHLO you may want  
to check that, because thats not at least how
current fixup does this.

Brian



On Nov 12, 2004, at 10:31 AM, Dan Abernathy wrote:

>> Sending a EHLO to the mailserver, thru fixup protocol 25 should not
>> cause an error and the connection to be
>> dropped.  It should simply return "502 unimplemented (#5.5.1)".
>
> Except that's not what happens, because the EHLO never makes it to the  
> mail server. The PIX with smtp fixup turned on enforces a minimal  
> command set, and it will change EHLO to NOOP before passing the  
> traffic to the mail server. The server responds with "250 OK", which  
> is interpreted by some clients as a confirmation that all is well and  
> SMTP extensions are supported. It will try to use the extended  
> features, which are blocked by the PIX.
>
> Some sending mail systems will fall back to using HELO after receiving  
> "OK" instead of the more detailed EHLO response, but many do not.
>
> --
> Dan Abernathy
> Network Admin
> Clayton Corporation
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------------------------------------------------ 
------
Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
Network Engineer           			p: 318.213.4709
ShreveNet Inc.             			f: 318.221.6612

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041112/42738d70/PGP.bin

More information about the cisco-nsp mailing list