CiscoWorks VMS FW Manager removing no fixup protocol smtp 25 from Pix

NPT_2 · ‎12-08-2005

I am having a pecular issue where when I deploy a changed pix firewall configuration from CiscoWorks VMS Firewall Manager I seem to somehow get both a:

no fixup protocol smtp 25

and a

fixup protocol smtp 25

in my configuration. This only seems to occur ocassionaly and checking the pix config and the firewall manager configuration listing both have fixup for smtp 25 turned off as I need. Has anyone run into this before? Any suggestions?

b.hsu · ‎12-14-2005

Fixup protocol enables the mail gaurd feature on the pix.

You can use the fixup command to change the default port assignment for SMTP. The command syntax

is as follows.

fixup protocol smtp [port[-port]]

The fixup protocol smtp command enables the Mail Guard feature. This restricts mail servers to

receiving the seven minimal commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA,

RSET, NOOP, and QUIT). All other commands are rejected.

Microsoft Exchange server does not strictly comply with RFC 821 section 4.5.1, using extended SMTP

commands such as EHLO. PIX Firewall will convert any such commands into NOOP commands, which

as specified by the RFC, forces SMTP servers to fall back to using minimal SMTP commands only. This

may cause Microsoft Outlook clients and Exchange servers to function unpredictably when their

connection passes through PIX Firewall.

Use the port option to change the default port assignments from 25. Use the -port option to apply SMTP

application inspection to a range of port numbers.

There is no work around for "No fixup protocol smtp 25" on the pix firewall configuration. It is essentially required since at times to configures the smtp, it sometimes may require some extra port through which the mails are transferred. There is no work around for removing the no fixup command