[c-nsp] PIX error using fixup smtp

Brian Feeny signal at shreve.net
Fri Nov 12 16:51:13 EST 2004 


ryan,

Please don't pretend to know what your talking about with regards to  
fixup smtp by
jacking a reply of someone else who incorrectly stated what it was  
doing.

It doesn't send NOOP.  Let me clarify:

PIX 6.3(3) does NOT convert EHLO to NOOP before passing it to the  
server.
It converts EHLO to XXXX, which rightfully results in a 502 (5.5.1) as  
per RFC821.

I did not come on the list asking some basic question on fixup because  
I don't understand
how it works.  Replying with "RTFM" or "its broken" without qualifying  
your statement is
not helpful.  Mailguard is an SMTP filter, it handles all 7 SMTP  
commands just fine.  It does
not make any claims to handle ESMTP and if you rely on ESMTP then you  
will be disappointed
with Mailguard.

It is a feature nonetheless, and it is subject to having bugs, and I  
was just trying to get to the bottom
of something I had found, that I thought may be a bug.  Then I start to  
get slammed by a few people
coming out of the corners who think I somehow I just discovered "fixup  
smtp" and they are going to
give me an education in how it works.

If you think smtp fixup is suppose to handle ESMTP, converts EHLO to  
NOOP, or is suppose to drop
a TCP connection on the floor when an unsupported command is entered,  
then please click "Next Message"
on your mail client now.  The amount of mis-information thrown around  
on this thread is enough to spoil
it for others who google up the archive.

Brian


On Nov 12, 2004, at 3:14 PM, Hudson Delbert J Contr 61 CS/SCBN wrote:

> ryan,
>
> my point exactly.
>
> ~out
>
> -----Original Message-----
> From: Ryan O'Connell [mailto:ryan at complicity.co.uk]
> Sent: Friday, November 12, 2004 12:14 PM
> To: Brian Feeny
> Cc: Hudson Delbert J Contr 61 CS/SCBN; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX error using fixup smtp
>
>
> On 12/11/2004 16:06, Brian Feeny wrote:
>
>> Why what happens?  I can tell you, without exageration, I have read,
>> and understand everything that is out there
>> on fixup protocol 25/mailguard.
>>
>> Sending a EHLO to the mailserver, thru fixup protocol 25 should not
>> cause an error and the connection to be
>> dropped.  It should simply return "502 unimplemented (#5.5.1)".
>
>
> You might like to consider how the PIX is doing the fixup internally -
> packet lengths, and thus the TCP properties of a packet are never
> changed. Rather, inappropraite content is substituted with something
> else, E.g. in the 220 message when the connection is set up,  
> undesirable
> content is replaced with * characters. Similarly, inappropriate  
> commands
> are replaced with NOOP (Varies by version, but certainly on 5.1ish and
> later) which will generate a "200 OK" response from the mail server.
>
> Because of this, the PIX can *NOT* generate a 502 response itself.
>
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/ 
> config/fixu
> p.htm#xtocid7
> explains what happens in 6.2.
>
> SMTP fixup is fundamentally broken. Do not use it.
>
> -- 
>          Ryan O'Connell - CCIE #8174
> <ryan at complicity.co.uk> - http://www.complicity.co.uk
>
> I'm not losing my mind, no I'm not changing my lines,
> I'm just learning new things with the passage of time
>
------------------------------------------------------------------------ 
------
Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
Network Engineer           			p: 318.213.4709
ShreveNet Inc.             			f: 318.221.6612

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041112/2fe87bf2/PGP.bin

More information about the cisco-nsp mailing list