cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3269
Views
0
Helpful
1
Replies

Ironport E-mail C380 - SMTP Reverse DNS Mismatch

rsoave
Level 1
Level 1

Hi all,

I changed an old Iron Port appliance from my cluster (a C150 to C380), making a cluster with a current C170 appliance.

All the appliances are with the same AsyncOS version and I could get the cluster up and running, so far, so good.

In order to test the e-mail, I use the mxtoolbox, and for my surprise, whenever I test the second box hostname, I get the following message:

220 **************************

SMTP Reverse DNS MismatchWarning - Reverse DNS does not match SMTP Banner

Is weird, because all the configurations were inherited by the C170 primary box.

Anybody knows what´s is going on? what I need to change on ESA or even in my infrastructure to solve this problem?

1 Accepted Solution

Accepted Solutions

Robert Sherwin
Cisco Employee
Cisco Employee

There are a number of firewalls and SMTP proxy services available that provide features meant to protect servers from exploit. Some of these methods of protection can impede ESMTP services such as TLS and SMTP Authentication.

Services, such as TLS and SMTP Authentication, use ESMTP (Extended SMTP) commands. In order to access the ESMTP command set, the EHLO command must reach the receiving server. Some firewall and proxy security features will block or modify the EHLO command in transit. When the security device does not allow EHLO, no ESMTP services will be available. In this case, only the SMTP commands specified in RFC 821 section 4.5.1 are allowed on a mail server. 

These are: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. No ESMTP commands are available.

Another security feature used by these devices is SMTP banner modification. In order to hide the type and version of the protected mail server, some devices will obscure all but the 220 portion of the banner that is required for communication. The banner will often appear similar to: 
220************* 

Part of the information being hidden is the ESMTP advertisement in the banner. When this advertisement is removed, a sending server will not be aware that ESMTP commands are accepted. 

In summary, firewalls and SMTP proxy servers may block EHLO commands and hide ESMTP banner advertisements. When these security measures are in place, ESMTP commands may not be accessible. To ensure that other hosts can communicate with your IronPort appliance using ESMTP, you may need to disable these security features on your security device.

 

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

View solution in original post

1 Reply 1

Robert Sherwin
Cisco Employee
Cisco Employee

There are a number of firewalls and SMTP proxy services available that provide features meant to protect servers from exploit. Some of these methods of protection can impede ESMTP services such as TLS and SMTP Authentication.

Services, such as TLS and SMTP Authentication, use ESMTP (Extended SMTP) commands. In order to access the ESMTP command set, the EHLO command must reach the receiving server. Some firewall and proxy security features will block or modify the EHLO command in transit. When the security device does not allow EHLO, no ESMTP services will be available. In this case, only the SMTP commands specified in RFC 821 section 4.5.1 are allowed on a mail server. 

These are: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. No ESMTP commands are available.

Another security feature used by these devices is SMTP banner modification. In order to hide the type and version of the protected mail server, some devices will obscure all but the 220 portion of the banner that is required for communication. The banner will often appear similar to: 
220************* 

Part of the information being hidden is the ESMTP advertisement in the banner. When this advertisement is removed, a sending server will not be aware that ESMTP commands are accepted. 

In summary, firewalls and SMTP proxy servers may block EHLO commands and hide ESMTP banner advertisements. When these security measures are in place, ESMTP commands may not be accessible. To ensure that other hosts can communicate with your IronPort appliance using ESMTP, you may need to disable these security features on your security device.

 

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)