Re: Cisco PIX SMTP Issues

andyamato · ‎12-07-2006

I work in call center for a very well known MFP company. We have a customer that has a Cisco 506e Pix Firewall with the Mailguard feature enabled (default). When they send an email from our MFP the EHLO command is rejected (only when using SMTP Auth). I have read tons of info on this saying to disable the mailguard with "no fixup protocol smtp 25". The customer is reluctant to do this due to security concerns. Sooo we came across a doc that says to update the PIX OS and thus it will now allow the EHLO command through. Well the question is will they still be able to have the Mailguard enabled with SMTP Auth. If it is disabled is it really that big of a security risk. Thanks in advance.

Fernando_Meza · ‎12-07-2006

Hi .. indeed if you update to code 7.X the you can use isnpect esmtp which provides the same functionality of fixup smtp but also adds support fro more commands such as: AUTH, EHLO,

ETRN, HELP, SAML, SEND, SOML and VRFY

I hope it helps .. please rate it if it does !!

andyamato · ‎12-08-2006

Hi Fernando, Ok so the customer upgrades to 7.x.

1. With the "inspect ESMTP" can the customer still run the mailguard feature if they are using SMTP Auth., the customer states that after upgrading they still have to use the no fixup SMTP command which disables mailguard, if the new version allows EHLO and Auth. why does mailguard still need to be disabled?

2. On the previous version when no SMTP Auth. is used the sent EHLO command is rejected but then a RSET is sent than the HELO command is sent and accepted. Why does this behave differently with SMTP Auth where the client does not RSET and send the HELO, it simply sends a QUIT? I attached some screen shots that may help you.

Thanks again, Andy

andyamato · ‎12-08-2006

Hi Fernando,I have done more research on this inspect esmpt command. Sounds like it's going to be the fix. Do we disable the fixup smtp then enable the inspect esmtp or does it automatically do it. Is it still called Mailguard? Your advise was very helpful $$ and I thank you again for your time. Andy Amato

Solace · ‎12-08-2006

Just upgrade, it will be done automatically.

Fernando_Meza · ‎12-10-2006

Hi you don't need to disable just upgrade to code 7.0 and make sure the inspection global policy is enabled. There is not fixups anymore on code 7.X they have been superseeded by inspect as below.

NOTE: Mail guard is another way of referring to the fixup smtp feature in code 6.X and inspect esmtp ion code 7.0 which provides protection for SMTP (mail)

class-map global-class

match default-inspection-traffic

!

policy-map global-policy

class global-class

inspect sqlnet

inspect h323 ras

inspect xdmcp

inspect tftp

inspect icmp error

inspect rtsp

inspect sunrpc

inspect mgcp

inspect esmtp

inspect netbios

inspect sip

inspect pptp

inspect ctiqbe

inspect snmp

inspect http

inspect icmp

inspect rsh

inspect ftp

inspect ils

inspect h323 h225

inspect dns

inspect skinny

!

service-policy global-policy global

I hope it helps ...