[c-nsp] PIX causing problems with TLS esmtp session

Eloy Paris elparis at cisco.com
Fri Feb 27 16:22:34 EST 2009


On Fri, Feb 27, 2009 at 04:06:35PM -0500, Matthew Huff wrote:

> setup an access list with the hosts in it and port 25. use the capture
> command to setup a capture on both interfaces. See which side is sending the
> reset (the real host, or the firewall)

Agreed; this is a great way to start troubleshooting.

You could also look at the syslog messages generated by the PIX to see
why the connection (on the PIX) is terminating.

Cheers,

Eloy Paris.-
Cisco PSIRT

> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Steven Pfister
> > Sent: Friday, February 27, 2009 4:00 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] PIX causing problems with TLS esmtp session
> > 
> > There is one particular outside mail server we're having trouble
> > sending to. Basically, our server (Groupwise) does an EHLO, and the
> > other server offers STARTTLS. Our server sends a STARTTLS, sends a few
> > bytes of encrypted data, and then the other server sends a RST.
> > 
> > If we try a test server outside the PIX, everything is fine.
> > 
> > I've looked at "no fixup protocol smtp 25" and "no inspect esmtp" and
> > those already seem to be in place.
> > 
> > Could the pix be doing something with the certificate? Could esmtp
> > inspection still be on?
> > 
> > Thanks!
> > 
> > Steve Pfister
> > Technical Coordinator,
> > The Office of Information Technology
> > Dayton Public Schools
> > 115 S. Ludlow St.
> > Dayton, OH 45402
> > 
> > Office (937) 542-3149
> > Cell (937) 673-6779
> > Direct Connect: 137*131747*8
> > Email spfister at dps.k12.oh.us
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/




> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list