[c-nsp] PIX causing problems with TLS esmtp session

Matthew Huff mhuff at ox.com
Fri Feb 27 16:06:35 EST 2009


setup an access list with the hosts in it and port 25. use the capture
command to setup a capture on both interfaces. See which side is sending the
reset (the real host, or the firewall)

----
Matthew Huff       | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Steven Pfister
> Sent: Friday, February 27, 2009 4:00 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX causing problems with TLS esmtp session
> 
> There is one particular outside mail server we're having trouble
> sending to. Basically, our server (Groupwise) does an EHLO, and the
> other server offers STARTTLS. Our server sends a STARTTLS, sends a few
> bytes of encrypted data, and then the other server sends a RST.
> 
> If we try a test server outside the PIX, everything is fine.
> 
> I've looked at "no fixup protocol smtp 25" and "no inspect esmtp" and
> those already seem to be in place.
> 
> Could the pix be doing something with the certificate? Could esmtp
> inspection still be on?
> 
> Thanks!
> 
> Steve Pfister
> Technical Coordinator,
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St.
> Dayton, OH 45402
> 
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090227/6a5ccc11/attachment-0001.bin>


More information about the cisco-nsp mailing list