My Cisco ASA is mangling legitimate SMTP traffic

Discussion in 'Cisco' started by Ramon F Herrera, Jun 5, 2007.

  1. I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
    SMTP traffic. Additionally, I have a rule the permits any traffic from
    the mail server to the Internet.

    My problem is that the firewall is behaving like a wise guy,
    distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
    followed by a sequential alphabetic letter.

    Let's examine the dialogs telneting from server A to B, and then from
    server B to A.

    The following lines:

    EHLO abc.com
    250-postino.example.com Hello www.example.com [12.34.56.78], pleased
    to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-EXPN
    250-VERB
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-DELIVERBY
    250 HELP

    are transliterated into:
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-XXXA
    250-XXXB
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-XXXXXXXXC
    250 XXXD

    While in the opposite direction the regular dialog:
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
    250-DELIVERBY
    250 HELP

    Becomes mutated into:
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
    250-XXXXXXXXA
    250 XXXB

    What is going on here?

    Suggestions?

    -Ramon
     
    Ramon F Herrera, Jun 5, 2007
    #1
    1. Advertising

  2. On Jun 5, 6:04 pm, Grant Taylor <> wrote:
    > On 6/5/2007 4:18 PM, Ramon F Herrera wrote:
    >
    > > I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
    > > SMTP traffic. Additionally, I have a rule the permits any traffic
    > > from the mail server to the Internet.

    >
    > I doubt that I even need to read the rest...
    >
    > > My problem is that the firewall is behaving like a wise guy,
    > > distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
    > > followed by a sequential alphabetic letter.

    >
    > Not owning or even working on one of these devices, I can't say for
    > sure, but...
    >
    > > What is going on here?

    >
    > Cisco is happening to you.
    >
    > > Suggestions?

    >
    > ... Others have said "Turn *OFF* SMTP fix up". Apparently, this is a
    > VERY common problem. Probably enough so that it should be part of the FAQ.
    >
    > Grant. . . .



    Yeap, the problem was in this section:

    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp <-- This line is dangerous!
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp

    I removed the `inspect esmtp' line and the problem disappeared. I
    wonder what else is being broken by those "fixups".

    Thanks!

    -Ramon
     
    Ramon F Herrera, Jun 6, 2007
    #2
    1. Advertising

  3. Ramon F Herrera <> writes:
    > inspect esmtp <-- This line is dangerous!


    >I removed the `inspect esmtp' line and the problem disappeared. I
    >wonder what else is being broken by those "fixups".


    The PIX/ASA has always been a bit wonky breaking SMTP left and right
    when fixup smtp has been enabled. I'm not quite sure what they are
    protecting isn't doing more harm than good. I don't see many PIXs my
    way that ever have fixup smtp (or now fixup esmtp) turned on.
     
    Doug McIntyre, Jun 6, 2007
    #3
  4. Ramon F Herrera

    Bill Cole Guest

    In article <>,
    Ramon F Herrera <> wrote:

    > I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
    > SMTP traffic. Additionally, I have a rule the permits any traffic from
    > the mail server to the Internet.
    >
    > My problem is that the firewall is behaving like a wise guy,
    > distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
    > followed by a sequential alphabetic letter.


    Turn off SMTP 'fixup' on your misdesigned firewall.

    Cisco does stupid stuff to SMTP. They cannot be trusted to handle your
    mail, as they have years of track record showing that they do not
    understand the protocol and have spent years telling their unfortunate
    customers that what they do is some sort of fix. They have lied to you.

    Consult your documentation or call Cisco to ask how to solve your
    problem. It is NOT a Sendmail issue.

    --
    Now where did I hide that website...
     
    Bill Cole, Jun 6, 2007
    #4
  5. Doug McIntyre wrote:

    > Ramon F Herrera <> writes:
    >> inspect esmtp <-- This line is dangerous!

    >
    >>I removed the `inspect esmtp' line and the problem disappeared. I
    >>wonder what else is being broken by those "fixups".

    >
    > The PIX/ASA has always been a bit wonky breaking SMTP left and right
    > when fixup smtp has been enabled. I'm not quite sure what they are
    > protecting isn't doing more harm than good. I don't see many PIXs my
    > way that ever have fixup smtp (or now fixup esmtp) turned on.


    It has been known for years that the *fixup protocol smtp' command in fact
    means fu**up protocol smtp

    Switching that option off is among the first things to do when configuring a
    PIX.

    Wolfgang
     
    Wolfgang Kueter, Jun 6, 2007
    #5
  6. Ramon F Herrera schrieb:
    > Yeap, the problem was in this section:
    >
    > policy-map global_policy
    > class inspection_default
    > inspect dns preset_dns_map
    > inspect ftp
    > inspect h323 h225
    > inspect h323 ras
    > inspect rsh
    > inspect rtsp
    > inspect esmtp <-- This line is dangerous!
    > inspect sqlnet
    > inspect skinny
    > inspect sunrpc
    > inspect xdmcp
    > inspect sip
    > inspect netbios
    > inspect tftp
    > inspect icmp
    >
    > I removed the `inspect esmtp' line and the problem disappeared. I
    > wonder what else is being broken by those "fixups".


    For example:
    - We are deploying H.323 based videoconferencing and Cisco's H323 "fixup"
    wreaks havoc with that, too.
    - We regularly see trouble with the default "fixup protocol dns maximum-length 512"
    which is way too small.

    --
    Tilman Schmidt
    Phoenix Software GmbH www.phoenixsoftware.de
    Adolf-Hombitzer-Str. 12 Amtsgericht Bonn HRB 2934
    53227 Bonn, Germany Geschäftsführer: W. Grießl
     
    Tilman Schmidt, Jun 6, 2007
    #6
  7. Ramon F Herrera

    NPG Guest

    * Bill Cole wrote:
    > In article <>,
    > Ramon F Herrera <> wrote:
    >
    >> I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
    >> SMTP traffic. Additionally, I have a rule the permits any traffic from
    >> the mail server to the Internet.
    >>
    >> My problem is that the firewall is behaving like a wise guy,
    >> distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
    >> followed by a sequential alphabetic letter.

    >
    > Turn off SMTP 'fixup' on your misdesigned firewall.
    >
    > Cisco does stupid stuff to SMTP. They cannot be trusted to handle your
    > mail, as they have years of track record showing that they do not
    > understand the protocol and have spent years telling their unfortunate
    > customers that what they do is some sort of fix. They have lied to you.
    >
    > Consult your documentation or call Cisco to ask how to solve your
    > problem. It is NOT a Sendmail issue.
    >

    Yep, Shisco happens.
     
    NPG, Jun 6, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. HisNameWasRobertPaulson
    Replies:
    7
    Views:
    12,701
    Andrey Tarasov
    Apr 30, 2004
  2. Guest

    Is TestKing Legitimate?

    Guest, Jul 17, 2004, in forum: MCSD
    Replies:
    56
    Views:
    12,503
    The Poster Formerly Known as Kline Sphere
    Jul 22, 2004
  3. jlatulip
    Replies:
    4
    Views:
    1,042
    Salvatore
    May 13, 2006
  4. Jeff
    Replies:
    11
    Views:
    3,046
  5. Replies:
    3
    Views:
    824
Loading...

Share This Page