SMTP with Authentication being blocked by my PIX?

CyberWolves_2 · ‎08-08-2004

My company provides web and e-mail hosting. After installing our PIX I’ve noticed that our mail servers no longer respond with the standard “host” greetings. Further, in an effort to prevent spammers from using our mail servers, we require all users to use SMTP with authentication when sending e-mail via our SMTP servers. This apparently is also no longer working after installing our PIX. After researching the problem I believe the issue might have to do with the PIX default fixup settings for SMTP.

So my questions are: 1) Is this correct analysis of the problem? And, 2) if so, will issuing the command “no fixup smtp 25” resolve the issue for me and allow SMTP authentication to work again? Finally, if this will resolve the problem are there any precautions I should be aware since Cisco deemed it of value to disable this functionality?

Thanks!

gfullage · ‎08-09-2004

Yes, the fixup is definately your problem here, disable it to get things working again. The fixup does a few things, it hides the banner so that people can't see what type of server you have, it limits the SMTP commands that the client/server can use down to the standard 8 SMTP commands, and it checks that commands are entered in the correct order.

If you're doing authentication then this goes outside the standard 8 commands and you'll need to turn it off.

There's no real issue in doing this, you just lose some of the protection that the PIX affords. What you need to make sure is that your mail server is kept up to date with all the latest security patches for whatever OS and mail server you're running.

For your info, there'll be an ESMTP fixup in v7.0 when it is released later this year, so you should be able to turn it back on if you upgrade to that.

CyberWolves_2 · ‎08-09-2004

Thanks! I appreciate the quick and detailed reply; and, the good news about ESMTP fixup coming to version 7.