Mailing List Archive

Save yourself a huge headache and type:

no fixup protocol smtp 25

forget about disabling it for certain servers; its pretty broken.

On Fri, 20 Sep 2002, Alban Dani wrote:

> Hello there,
>
>
>
> I have the Mail Guard feature (fixup protocol smtp 25) active on our
> PIX, but my unix administrators are complaining that the SMTP messaging
> from the outside world is being chopped off too much. The access list on
> the pix allows any IP to get to the mail server. Is there any way of
> disabling the Mail Guard feature on per machine basis ( we have more
> than one mail server and they reside on different networks ) or
> something else to that effect.
>
>
>
> Thanks in advance
>
>
>
> Alban
>
>
>
>

--
+ Jon Larsen; Chief Technology Officer, Richweb.com
+ GnuPG Public Key http://richweb.com/jlarsen.gpg
+ Richweb.com: Providing Internet-Based Business Solutions since 1995
+ Business Telephone: (804) 359.2220
+ Jon Larsen Cell Phone: (804) 307.6939

I have been do the following:

no fixup protocol smtp 25

Anchi

-----Original Message-----
From: Alban Dani [mailto:adani@stevens-tech.edu]
Sent: Friday, September 20, 2002 4:10 PM
To: cisco-nsp@puck.nether.net
Subject: [nsp] pix and mail servers



Hello there,



I have the Mail Guard feature (fixup protocol smtp 25) active on our PIX, but my unix administrators are complaining that the SMTP messaging from the outside world is being chopped off too much. The access list on the pix allows any IP to get to the mail server. Is there any way of disabling the Mail Guard feature on per machine basis ( we have more than one mail server and they reside on different networks ) or something else to that effect.



Thanks in advance



Alban

what some people do, is have a "trusted" mailhost outside the firewall,
get it to relay the mail to the "secure" mailhost inside the firewall, and
only permit that single host through.

I've seen many many mails of people who say mailgard is horrid.
personally, I've never had a hassle with it. perhaps those more
knowledgeable could specify which part(s) of mailgard break, which rfc
they go against, or how in general it breaks delivery of mail when
enabled?

later

--Rob

fingers <fingers@fingers.co.za> writes:

> I've seen many many mails of people who say mailgard is horrid.
> personally, I've never had a hassle with it. perhaps those more
> knowledgeable could specify which part(s) of mailgard break, which rfc
> they go against, or how in general it breaks delivery of mail when
> enabled?

If it's anything like CBAC under 12.1 and later (I believe the code
bases may be related), it doesn't pass through EHLO and thus breaks
breaks all ESMTP (including AUTH and STARTTLS). This is annoying.

---Rob

give command no fixup protocal smtp,
it will pass the EHLO and auth SMTP.

with regards
Tejal
----- Original Message -----
From: "Robert E. Seastrom" <rs@seastrom.com>
To: "fingers" <fingers@fingers.co.za>
Cc: "Alban Dani" <adani@stevens-tech.edu>; <cisco-nsp@puck.nether.net>
Sent: Saturday, September 21, 2002 9:53 AM
Subject: Re: [nsp] pix and mail servers


>
> fingers <fingers@fingers.co.za> writes:
>
> > I've seen many many mails of people who say mailgard is horrid.
> > personally, I've never had a hassle with it. perhaps those more
> > knowledgeable could specify which part(s) of mailgard break, which rfc
> > they go against, or how in general it breaks delivery of mail when
> > enabled?
>
> If it's anything like CBAC under 12.1 and later (I believe the code
> bases may be related), it doesn't pass through EHLO and thus breaks
> breaks all ESMTP (including AUTH and STARTTLS). This is annoying.
>
> ---Rob
>
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

fingers (fingers@fingers.co.za) wrote:
> I've seen many many mails of people who say mailgard is horrid.
> personally, I've never had a hassle with it. perhaps those more
> knowledgeable could specify which part(s) of mailgard break, which rfc
> they go against, or how in general it breaks delivery of mail when
> enabled?

This is just one problem:

http://www.postfix.org/faq.html#timeouts

Others have mentioned the EHLO block, which stops all ESMTP working. I'm
sure there are more problems with it.

Cheers,

--

Mark Drayton
izR Solutions Ltd
Tel: +44 08707 447799

There are only problems if that's a problem for your mail server! There
are many reasons for mailguard, one of which is to not have to rely on
administrators properly securing their mail servers time after time.

If you have a business need for the ESMTP, then mailguard sucks. If you
don't, I get my e-mail just fine without ESMTP, and don't miss it at
all!

Scott Morris, MCSE, CCDP, CCIE³ (R&S/ISP-Dial/Security) #4713, CCNA-WAN
Switching, Security Specialist, Cable Communications Specialist, IP
Telephony Support Specialist, IP Telephony Design Specialist
CCSI #21903
swm@emanon.com



-----Original Message-----
From: cisco-nsp-admin@puck.nether.net
[mailto:cisco-nsp-admin@puck.nether.net] On Behalf Of Mark Drayton
Sent: Saturday, September 21, 2002 3:32 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [nsp] pix and mail servers


fingers (fingers@fingers.co.za) wrote:
> I've seen many many mails of people who say mailgard is horrid.
> personally, I've never had a hassle with it. perhaps those more
> knowledgeable could specify which part(s) of mailgard break, which rfc

> they go against, or how in general it breaks delivery of mail when
> enabled?

This is just one problem:

http://www.postfix.org/faq.html#timeouts

Others have mentioned the EHLO block, which stops all ESMTP working. I'm
sure there are more problems with it.

Cheers,

--

Mark Drayton
izR Solutions Ltd
Tel: +44 08707 447799 _______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/