Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1305
Views
0
Helpful
3
Replies

Disable MailGuard on PIX 515

Paul.Lane
Level 1
Level 1

‎04-04-2003 08:07 AM - edited ‎02-20-2020 10:40 PM

I have a user that needed pop3 access to our exchange server behind the PIX 515. I allowed access to port 110 and disabled mailguard on the PIX in order to accomplish the task. My question is what are the ramifications of disabling mailguard? How much of a security breach is it? Because he is the only one using a pop3 account I could make the case to have him use OWA.

Thanks

0 Helpful
3 Replies 3

ryan.hicks
Level 1
Level 1

‎04-04-2003 11:53 AM

I don't know why mailguard or (fixup protocol smtp in newer versions) would need to be disabled in order for pop3 access to work? Since pop3 is an entirely different protocol and mailguard or fixup(see below) is only limiting SMTP based commands.

When configured, Mailguard allows only the seven SMTP minimum-required commands as described in Section 4.5.1 of RFC 821 . These seven minimum-required commands are: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. Other commands, such as KILL, WIZ, and so forth, are intercepted by the PIX and they are never sent to the mail server on the inside of your network. The PIX responds with an "OK" to even denied commands, so attackers would not know that their attempts are being thwarted.

NOTE: The PIX Software Mailguard feature sanitizes SMTP traffic. For PIX Software versions 4.0 and 4.1, the mailhost command is used to configure Mailguard. In PIX Software versions 4.2 and later, the command has been changed to fixup protocol smtp 25, and you will also need static and conduit statements for your mail server.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml

0 Helpful

Paul.Lane
Level 1
Level 1
In response to ryan.hicks

‎04-04-2003 12:01 PM

Thanks.

0 Helpful

mostiguy
Level 6
Level 6
In response to Paul.Lane

‎04-07-2003 05:28 AM

If you run MS exchange (OWA = outlook web access, so you almost assuredly do), you do probably want to disable mailguard if exchange's smtp service is internet facing.

I would in general recommend enforcing OWA use over POP - POP allows them to take all of their mail with them, off of your servers most likely. This can present a bunch of problems - user blows up all their old mail, security ramifications, etc.

Matt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card