On Sun, 28 Mar 2004 08:59:40 -0500 Rob Nelson <ronelson@vt.edu> wrote:
yes. there are a lot of pix firewalls out there with smtp fixup turned on, effectively disabling ESMTP (not to mention sporadically breaking traditional SMTP.)
Could you elaborate on this? I use PIX firewalls all over the place and don't seem to have a problem with SMTP or ESMTP.
then you must have smtp fixup disabled. when smtp fixup is on (default on many older pixes, i gather that there may be some improvements on newer pixes), the smtp banner is mostly obscured by * characters. the intent is a classic security by obscurity play, to hide the type and verison of the MTA behind the pix. the problem is two fold: 1) it obscures so much of the banner that any ESMTP advertisement in the banner is hidden, so the SMTP client doesn't know that it can EHLO. for standards compliant MTAs, the result is a default to the minimal SMTP standard mode of operation, and options such as SMTP over TLS are never negotiated even when both the SMTP client and server are "ready to go". 2) it turns out that the * obscurity ploy is badly done, and while it hides enough of the banner to break ESMTP, it doesn't hide enough of the banner to reliably obscure the MTA in use. even if security by obscurity were a good idea (i, and many others, maintain that it is not), broken security by obscurity is annoying beyond belief. on more than one occasion, i've had clients ask me to investigate why they're having obscure problems with email transactions. in many cases, i've found that telneting to port 25 on the SMTP server end has produced the "wall of asterisks", and that having them turn off smtp fixup on the pix invariably cures the problem. it's sufficiently frequent that it's generally the first thing i check for these days (it's also first because ruling it in or out is very quick.) richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security