This site is now 100% read-only, and retired.

E-mail and Cisco PIX firewalls

Posted by redbeard on Wed 5 Apr 2006 at 09:26

I'm writing this article in hopes that it helps someone else, later. I just spent two days configuring my new e-mail server. It would have only been an afternoon if I'd know what I'm about to share.

My goal was to set a secure e-mail server that I could log into using SMTP over SSL (e.g. SMTP AUTH). I had Exim4 running on a Sarge box, but only local log ins and nothing else. First, I used Steve's article on setting up dovecot so I could use IMAP to access the mail from an external machine. I configured it to use only IMAPS. I tested it local using mutt. Then, I followed the directions (and comments) from HowTo Setup Basic SMTP AUTH in Exim4, by an anonymous author. Everything seemed to be good.

Now comes the good part. I opened up the ports on my Cisco PIX firewall (993 for IMAPS and 25 for SMTP). Then I connected using mutt via IMAP. This worked. Then I tried setting up Opera (no, it's not open source, but it's the best browser for me) to use my new e-mail server. IMAP worked fine. SMTP did not. I couldn't figure out how to use mutt to do SMTP to the new server (I haven't tried hard yet, but pointers would be happily accepted).

So, I tried a few TCP monitoring utilities until I finally settled in tcpick. On the mail server I watched for stuff from my outside client. On the client, I watched for the mail server. The server was sending a proper identification:

220 mailserver ESMTP Exim 4.52 Tue, 04 Apr 2006 14:17:01 -0500

But I was getting back things like:

220 *********************2******0******200*****02*****0*00

The firewall was killing everything except '2's and '0's! After I realized what was happening and did a quick Google search. It turned up the following question from Exim's FAQ:

Q0053: Exim on my host responds to a connection with 220 *****... and won't understand EHLO commands.

A0053: This is the sign of a Cisco Pix “Mailguard” sitting in front of your MTA. Pix breaks ESMTP and only does SMTP. It is a nuisance when you have a secure MTA running on your box. Something like “no fixup protocol smtp 25” in the Pix configuration is needed. It may be possible to do this by logging into the Pix (using telnet or ssh) and typing no fixup smtp to its console. (You may need to use other commands before or after to set up configuration mode and to activate a changed configuration. Consult your Pix documentation or expert.) See also Q0078.

I checked. My PIX did indeed have SMTP fixup turned on. I followed the above advice (enter no fixup protocol smtp 25 on the PIX) and voila! It worked like a charm. By the way, Q0078 is about the PIX changing the EHLO command into XXXX.

Once again, I hope this saves at least someone the headaches I had. While this article is specifically about Exim, I'm pretty sure it will hold true for all MTAs supporting ESMTP.



Re: E-mail and Cisco PIX firewalls
Posted by ltackmann (80.162.xx.xx) on Wed 5 Apr 2006 at 10:26
Yep I have had this problem (see this kernel thread) - The problem really is that Cisco PIX does not handle TCP window scaling corectly, so another solution is to tunrn that off instead of removing SMTP fixup. i.e. just add the foloiwng to /etc/sysctl.conf
 # fix buggy firewalls that stomp on the scaling bits
 net.ipv4.tcp_window_scaling = 0
then run:
 sysctl -w
check with sysctl -p or sysctl -A to see your current values.

[ Parent ]

Re: E-mail and Cisco PIX firewalls
Posted by Anonymous (203.120.xx.xx) on Wed 19 Apr 2006 at 10:13
Except many versions of the PIX also have a nasty bug in smtp fixup where they dont properly handle the final . if the CR and LF happen to be in seperate packets. I'd recommend turning off smtp fixup. See CSCds90792.

[ Parent ]

Re: E-mail and Cisco PIX firewalls
Posted by Anonymous (217.10.xx.xx) on Wed 5 Apr 2006 at 11:59
You should use port 587 for mail message submission (RFC 2476).

[ Parent ]

Re: E-mail and Cisco PIX firewalls
Posted by redbeard (64.218.xx.xx) on Wed 5 Apr 2006 at 15:32
[ View Weblogs ]

To be completely honest, this is the first time I have ever heard this. I also have never dealt with a mail server that a MUA connects to that doesn't use port 25 for that connection.

After skimming through it, it sounds as if this doesn't necessarily apply in my case anyway. My MTA is the only MTA that will be modifying the messages. Also, there is this sentence:

A site MAY choose to use port 25 for message submission, by designating some hosts to be MSAs and others to be MTAs.

There will be no hosts acting as MSAs. Only MUAs and external MTAs will connect. Hmm... I may be misstating that. I suppose the other servers behind the firewall should probably send external emails via the central MTA. Each of those has the light version of Exim installed. It should be simple enough to set up this configuration with Exim. Maybe have internal servers connect to port 587 but not open that port on the firewall.

Of course, the whole point of the article is the fact that I'm trying to authenticate valid users that live outside the firewall. Since there are no workstations inside this firewall, that would be all my users.

Does anyone else have any thoughts on this? Michael

[ Parent ]

Re: E-mail and Cisco PIX firewalls
Posted by clar2242 (193.16.xx.xx) on Wed 5 Apr 2006 at 13:18
Yeah, Pix's are a pain for this.

As soon as I get a PIX/ASA/FWSM out of the box, after setting the hostname and passwords, the next command I type is no fixup smtp.

In v7.x of the OS things have improved somewhat, as it supports some ESMTP commands, but not STARTTLS, so I would still turn it off.

Scott Clark
Leeds, UK.

[ Parent ]

Re: E-mail and Cisco PIX firewalls
Posted by Anonymous (62.97.xx.xx) on Wed 24 Aug 2011 at 10:50
I've tried to implement STARTTLS behind an old PIX 7.1 and got some nasty XXXX. Thank you for the post, it saved me a lot of time.

[ Parent ]

Re: E-mail and Cisco PIX firewalls
Posted by Anonymous (217.27.xx.xx) on Sat 3 Jun 2006 at 19:36
that particular implimentation of the PIX effects all products using ESMTP, have seen it knock over MS Exchange Servers too.

glad i'm not the only one that found it

[ Parent ]

Re: E-mail and Cisco PIX firewalls
Posted by Anonymous (64.201.xx.xx) on Sat 7 Mar 2009 at 22:44
this saved me last night thanks.

[ Parent ]

Re: E-mail and Cisco PIX firewalls
Posted by Anonymous (12.44.xx.xx) on Tue 6 Apr 2010 at 20:31
Wow, even after 4 years, this still applies. Thanks for the detailed description. I was banging my head against the wall for a few hours on this one, too, before finally being able to blame the PIX in between.

[ Parent ]

Re: E-mail and Cisco PIX firewalls
Posted by Anonymous (196.211.xx.xx) on Fri 22 Oct 2010 at 10:36
Rarharhar! And again! I've been hacking at this one on and off for a week! Finally spent a few hours hard troubleshooting last night and found this problem! Thanks for the post and comments (yes, they _still_ apply).


[ Parent ]