Re: Strange SMTP Server behaviour
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Thu, 27 Nov 2003 11:20:53 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Note: URLs in this email are probably broken due to being split onto multiple lines. For them to work you will have to edit the message and remove the cr/lf splitting the URL.
Many people responded to this indicating that it is a result of Cisco's PIX Firewall, or IOS IPFW, feature called "Mailguard".
Paul Wakeford, Fabio Pietrosanti (naif), and Martin Blackstone all contributed to this message. Also, Brian Bergin provided the following detailed explanation;
---- This is no worm. I'm betting it's the result if improperly configured firewalls. I would suggest that you're seeing a firewall that's doing SMTP traffic inspection like a Cisco PIX or a Cisco router with IP Firewall installed. Others may do this too, but I can reproduce this in 20 seconds by enabling one of these commands in our PIX or our 3640 with IP FW: fixup protocol smtp 25 (in the PIX) -or- inspect name FastEthernet_0_0 smtp (on IOS w/ IPFW) ip inspect name Serial_0_0 smtp (on IOS w/ IPFW) The proper commands for either PIX or IOS w/ IPFW when you run ESMTP are: no fixup protocol smtp 25 (in the PIX) -or- no inspect name FastEthernet_0_0 smtp (on IOS w/ IPFW) no ip inspect name Serial_0_0 smtp (on IOS w/ IPFW) Cisco docs: PIX: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml (notice the last statement "Note: If you have an ESMTP server behind the PIX, you may need to turn off the Mailguard feature to allow mail to flow properly. Also, doing Telnet to port 25 may not work with the fixup protocol smtp command, especially with a Telnet client that does character mode.") IOS w/ IPFW: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_qanda_item09186a008009464d.shtml#Q1 The problem is Exchange does ESMTP and those commands are not recognized by SMTP traffic inspectors and are therefore purged. The ones from microsoft.com have properly configured firewalls that either don't do SMTP traffic inspection for their ESMTP servers OR they do ESMTP traffic inspection, the other ones are behind improperly configured firewalls for ESMTP traffic. Cisco is supposedly due to release ESMTP traffic inspection into IOS and PIX OS software releases in 2004. I'm sure there are other firewalls out there that don't do ESMTP traffic inspection so I'm guessing this problem isn't limited to Cisco, but IMHO, ESMTP has been out there for too many years for these enterprise-grade firewall vendors to still have no inspection schemes for ESMTP. NOTE: Please reply to the list so others may benefit from your thoughts. If you're concerned it may not make it to the list, please cc: me on the reply. Sincerely, Terabyte Computers, Inc. Brian S. Bergin President http://www.terabyte.net ---- Cheers, Russ - NTBugtraq Editor ---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----