Cisco PIX/ASA: Disable SMTP Fixup

Over on the Mailop list, a postmaster shared his tale of woe involving sending mail to a small set of recipients whose mail server is behind a Cisco PIX firewall.

You can tell if a receiving site is using a Cisco PIX firewall by telnetting to port 25 of the site's MX and seeing if responds with a row of output that is almost all asterisks:
220 *******************************************************************

I'm still surprised these things are out there and being used. I've run into problems sending mail to users behind them for years. The theory is that you are improving the security of an older mail server by putting this PIX device in front of it. In practice, the PIX device introduces its own quirks that can make successful mail receipt and delivery difficult in unexpected ways.

The reason I'm well aware of this is because I learned years ago that Cisco PIX devices don't play nice with sites that used LISTSERV to distribute mail. The PIX would close the SMTP connection in a way that makes the sender think the message didn't send. But the message did send, was fully received. Thus the sender's SMTP server tries to send again, and the cycle repeats. The net effect is that the recipient will receive hundreds of copies of the same email message (or more). I blogged about this in 2009.

Now it's 2016 and the devices are still out there and are still causing trouble. Disabling ESMTP, misinterpreting SMTP commands, connections getting dropped. Here's another admin's tail of woe, where an admin explains how he found an example of a PIX mangling commands that fall across a packet boundary. The PIX's SMTP Fixup mode is also known to cause problems TLS encryption.

Microsoft has published a tech note recommending that email and firewall admins configure their PIX/ASA devices to disable SMTP fixup. It's sound advice.
Post a Comment