Re: Receiving multiple copies of same inbound message

cnelliott · ‎11-15-2001

We are receiving multiple copies of the same inbound message, although not all messages are duplicated. In checking MSKB, I found article Q295725. It states that the cause is a PIX firewall using Mailguard. I tried the test for Mailguard (telnet to port 25 of our exchange server from outside) but telnet hung. I am running PIXUR, version 5.3(2). Is this the only way to tell if Mailguard is running? How do I turn it off? I have searched the Cisco KB and according to the "SMTP Filtering Vulnerability" page, this issue was prior to version 5.3(2). Any information would be helpful. Thanks, Carolyn

brford · ‎11-22-2001

Carolyn,

MailGuard is the "fixup smtp ..." command in your configuration.

It sounds like you are having "fixup smtp" problems. The fixup disables certain insecure capabilities in SMTP transfers. Look for message in your syslog that correspond to the inbound messages.

Check your PIX configuration to see if "fixup smtp ..." is in there. If so, from config mode execute a "no fixup smtp ...".

Liberty for All,

Brian

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

cnelliott · ‎11-29-2001

Brian,

Thank you for replying. Hope you had a good holiday.

I am fairly new to PIX, so please pardon the 'newbie' questions. I know there is the 'fixup smtp ..." in the configuration. If I disable "fixup smtp ...", will that affect our email functionality? The email server sits in the DMZ, between the PIX and our internal network (token ring) and is running OWA.

Thanks, in advance, for any information you may send.

Carolyn

brford · ‎11-29-2001

Carolyn,

Thanks.

So MailGuard enforces RFC 822 on the connection between mail hosts protected by the PIX. RFC 822 is a best practices document about the security of SMTP commands.

The PIX is looking at the connection and filtering messages that pass between the hosts. The PIX MailGuard assumes that the connection is an SMTP (Simple Mail Transfer Protocol) connection and uses that to literally overwrite some fields that leak information and just not allow several SMTP commands. The problem is that Microsoft Exchange implements ESTMP. The connection looks like SMTP but has a number of extensions. MailGuard still tries to "fixup" this connection.

If you turn off MailGuard you should go back to the MS KB and look at ways you can better secure your Exchange Server.

Liberty for All,

Brian

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

cnelliott · ‎12-21-2001

Brian et al,

I just turned off MailGuard on our PIX. I delayed because our CIO was reluctant to "unprotect" our email server. However, we began experiencing extremely long delivery times from certain sources (primarily attbi.com) as well as duplicate messages.

My question is, do you have any suggestions for securing our Exchange Server? Especially ones you know for sure work. I am actively researching the KB.

Thanks and Happy Holidays.

Carolyn