Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3082
Views
0
Helpful
1
Replies

Ironport E-mail C380 - SMTP Reverse DNS Mismatch

Go to solution
rsoave
Level 1
Level 1

‎08-09-2014 05:59 PM

Hi all,

I changed an old Iron Port appliance from my cluster (a C150 to C380), making a cluster with a current C170 appliance.

All the appliances are with the same AsyncOS version and I could get the cluster up and running, so far, so good.

In order to test the e-mail, I use the mxtoolbox, and for my surprise, whenever I test the second box hostname, I get the following message:

220 **************************

SMTP Reverse DNS MismatchWarning - Reverse DNS does not match SMTP Banner

Is weird, because all the configurations were inherited by the C170 primary box.

Anybody knows what´s is going on? what I need to change on ESA or even in my infrastructure to solve this problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎08-11-2014 09:40 AM

There are a number of firewalls and SMTP proxy services available that provide features meant to protect servers from exploit. Some of these methods of protection can impede ESMTP services such as TLS and SMTP Authentication.

Services, such as TLS and SMTP Authentication, use ESMTP (Extended SMTP) commands. In order to access the ESMTP command set, the EHLO command must reach the receiving server. Some firewall and proxy security features will block or modify the EHLO command in transit. When the security device does not allow EHLO, no ESMTP services will be available. In this case, only the SMTP commands specified in RFC 821 section 4.5.1 are allowed on a mail server. 

These are: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. No ESMTP commands are available.

Another security feature used by these devices is SMTP banner modification. In order to hide the type and version of the protected mail server, some devices will obscure all but the 220 portion of the banner that is required for communication. The banner will often appear similar to: 
220************* 

Part of the information being hidden is the ESMTP advertisement in the banner. When this advertisement is removed, a sending server will not be aware that ESMTP commands are accepted. 

In summary, firewalls and SMTP proxy servers may block EHLO commands and hide ESMTP banner advertisements. When these security measures are in place, ESMTP commands may not be accessible. To ensure that other hosts can communicate with your IronPort appliance using ESMTP, you may need to disable these security features on your security device.

 

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎08-11-2014 09:40 AM

There are a number of firewalls and SMTP proxy services available that provide features meant to protect servers from exploit. Some of these methods of protection can impede ESMTP services such as TLS and SMTP Authentication.

Services, such as TLS and SMTP Authentication, use ESMTP (Extended SMTP) commands. In order to access the ESMTP command set, the EHLO command must reach the receiving server. Some firewall and proxy security features will block or modify the EHLO command in transit. When the security device does not allow EHLO, no ESMTP services will be available. In this case, only the SMTP commands specified in RFC 821 section 4.5.1 are allowed on a mail server. 

These are: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. No ESMTP commands are available.

Another security feature used by these devices is SMTP banner modification. In order to hide the type and version of the protected mail server, some devices will obscure all but the 220 portion of the banner that is required for communication. The banner will often appear similar to: 
220************* 

Part of the information being hidden is the ESMTP advertisement in the banner. When this advertisement is removed, a sending server will not be aware that ESMTP commands are accepted. 

In summary, firewalls and SMTP proxy servers may block EHLO commands and hide ESMTP banner advertisements. When these security measures are in place, ESMTP commands may not be accessible. To ensure that other hosts can communicate with your IronPort appliance using ESMTP, you may need to disable these security features on your security device.

 

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin
0 Helpful
Customers Also Viewed These Support Documents