Re: PIX fixup protocol with SMTP docs wrong?

Mon, 08 May 2000 12:35:12 -0700 

Hi all, 

Apologies for the long delay in response.  It's tough to keep up with all the lists.  

The reason the PIX passes XXXX to your mail server is to keep the state consistent on 
both client and server sides of the conversation.  

There is nothing wrong with your configuration with regards to the fixup protocol 
smtp.  

The PIX sends a 500 command not understood back to the client, but must make sure the 
SERVER is also at that same state, so sends a bogus command to the server, so both 
sides are at the same point.  

Looks like our documentation could be cleaned up a bit.  I'll let the appropriate 
people know. 

Thanks much,

Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml

At 01:55 PM 03/30/2000 +0100, Daniel Crichton wrote:
>I've been monitoring SMTP transactions on my mail since putting in my PIX with 4.4(1) 
>and noticed that ESMTP commands are being passed to my mail server as XXXX. Eg. if a 
>mail server opens a connection to my server and uses EHLO host.domain.com it gets 
>passed by the PIX to my server as XXXX host.domain.com, so my server responds with a 
>507 error and the sending server uses HELO host.domain.com which allows the mail to 
>be sent. I'm quite happy with this, but the Cisco docs seem to wrong as they define 
>the 
>fixup protocol 25 command as
>
>The fixup protocol smtp command enables the Mail Guard feature, which only lets 
>mail servers receive the RFC 821, section 4.5.1 commands of HELO, MAIL, 
>RCPT, DATA, RSET, NOOP, and QUIT. All other commands are rejected with the 
>"500 command unrecognized" reply code.
>
>
>This suggests that the PIX should be sending the 500 command unrecognized reply 
>itself, and the command should never reach my mail server. Is this just a case of the 
>PIX 
>docs being wrong, or is there something funny with my config?
>
>Dan
>
>---
>D.C. Crichton                 email: [EMAIL PROTECTED]
>Senior Systems Analyst        tel:   +44 (0)121 706 6000
>Computer Manuals Ltd.         fax:   +44 (0)121 606 0477
>
>Computer book info on the web:
>    http://computer-manuals.co.uk/
>Want to earn money? Join our affiliate scheme!
>    http://computer-manuals.co.uk/affiliate/
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.] 

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to