You Cannot Send or Receive E-Mail Messages Behind a Cisco PIX Firewall

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

This topic provides information about how to troubleshoot the following mail flow issues when Microsoft Exchange is located behind a Cisco PIX firewall device:

  • You cannot receive Internet-based e-mail messages.

  • You cannot send e-mail messages that have attachments.

  • You cannot establish a telnet session with the Exchange server on port 25.

  • When you send an EHLO command to the Exchange server, you receive a "Command unrecognized" response or an "OK" response.

  • You cannot send or receive mail on specific domains.

  • You have problems with Post Office Protocol version 3 (POP3) authentication. In this scenario, you may receive a "550 5.7.1 relaying denied" error on the Exchange server.

  • Duplicate e-mail messages are sent (sometimes five or six copies).

  • You receive duplicate incoming Simple Mail Transfer Protocol (SMTP) messages.

  • Microsoft Office Outlook clients generate error 0x800CCC79 when they try to send e-mail messages.

  • You have problems with binary MIME (8-bit MIME). In this scenario, you receive the following text in a non-delivery report (NDR) delivery status notification (DSN) message: "554 5.6.1 Body type not supported by Remote Host."

  • You have missing or damaged message attachments.

  • You have problems with the link state routing between routing groups when a Cisco PIX firewall device is located between the routing groups.

  • The X-LINK2STATE verb is not passed.

  • Authentication issues occur between servers over a routing group connector.

Cause

These issues may occur when both the following conditions are true:

  • The Exchange server is located behind a Cisco PIX firewall device that has the Mailguard feature enabled.

  • The Auth and Auth login Extended Simple Mail Transfer Protocol (ESMTP) commands are removed by the firewall.

Note

In this scenario, Exchange assumes that you are relaying e-mail from a remote domain.

To determine whether Mailguard is running on the PIX firewall, telnet to the IP address of the MX resource record, and then verify that you receive a response that resembles the following:

220*******************************0*2******0***********

2002*******2***0*00

Note

For readability, some asterisks (*) were removed from this message.

Earlier versions of PIX devices

220 SMTP/cmap_____________________________________read

For more information about how to test the PIX firewall Mailguard feature, see Testing the PIX Firewall Mailguard Feature.

Note

The third-party Web site information in this topic is provided to help you find the technical information you need. The URLs are subject to change without notice.

Note

Other firewall products that include SMTP Proxy functionality may also generate the behavior that is mentioned in the "Introduction" section. For more information about these products, see the "For More Information" section in this topic.

Resolution

If you have an Extended SMTP (ESMTP) server behind a PIX firewall device, you may have to turn off the PIX Mailguard feature to enable correct mail flow.

Warning

This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. Use this workaround at your own risk.

To turn off the Mailguard feature, follow these steps:

  1. Log on to the PIX device by establishing a telnet session or by using the console.

  2. Type enable, and then press ENTER.

  3. When you are prompted, type your password, and then press ENTER.

  4. Type configure terminal, and then press ENTER.

  5. Type no fixup protocol smtp 25, and then press ENTER.

  6. Type write memory, and then press ENTER.

  7. Restart the PIX device, or reload the PIX configuration.

Cisco ASA Extended SMTP inspection improves the traditional SMTP inspection that is provided by Cisco PIX Firewall version 6.x or earlier versions. It provides protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the Cisco ASA. This also applies to several Cisco routers including the commonly used Catalyst 6500 and 7600 models.

For more information, see Cisco ASA 5500 Series Release Notes and Configuring Application and Protocol Inspection - Cisco Systems.

Note

The third-party Web site information in this topic is provided to help you find the technical information you need. The URLs are subject to change without notice.

For More Information

The PIX Mailguard feature (known as Mailhost in early versions) filters SMTP traffic. For PIX Software versions 4.0 and 4.1, you use the mailhost command to configure Mailguard. In PIX Software version 4.2 and later versions, you use the fixup protocol smtp 25 command.

Note

You must also have static IP address assignments and conduit statements for the mail server.

When Mailguard is configured, it allows only the commands that form the minimum implementation of SMTP, as described in Request for Comments (RFC) 821, section 4.5.1. The seven minimum commands are as follows:

  • HELO

  • MAIL

  • RCPT

  • DATA

  • RSET

  • NOOP

  • QUIT

For more information, see RFC821 - Simple Mail Transfer Protocol.

Other commands, such as KILL and WIZ, are not forwarded to the mail server by the PIX firewall. Early versions of the PIX firewall return an "OK" response, even to commands that are blocked. This is intended to prevent an attacker from determining whether the commands have been blocked. All other commands are rejected with the "500 Command unrecognized" response.

On Cisco PIX firewalls with firmware versions 5.1 and later versions, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks, except for the "2," "0," and "0" characters. Carriage return (CR) and linefeed (LF) characters are ignored. In version 4.4, all characters in the SMTP banner are converted to asterisks.

To determine whether Mailguard is functioning correctly

Because the Mailguard feature may return an "OK" response to all commands, it may be difficult to determine whether Mailguard is active. To determine whether the Mailguard feature is blocking commands that are not valid, follow these steps.

Note

These steps are based on PIX software versions 4.0 and 4.1. To test later versions of PIX software, such as version 4.2, use the fixup protocol smtp 25 command together with the appropriate static and conduit statements for your mail server.

With Mailguard Turned Off

  1. On the PIX firewall, use the static and conduit commands to allow incoming traffic from all hosts on TCP port 25 (SMTP).

  2. Establish a telnet session on the external interface of the PIX firewall on port 25.

  3. Type a command that is not valid, and then press ENTER. For example, type goodmorning, and then press ENTER.

    You receive a "500 Command unrecognized" response.

With Mailguard Turned On

  1. Use the mailhost or the fixup protocol smtp 25 command to turn on the Mailguard feature on the external interface of the PIX firewall.

  2. Establish a telnet session on the external interface of the PIX firewall on port 25.

  3. Type a command that is not valid, and then press ENTER. For example, type goodmorning, and then press ENTER. You receive an "OK" response.

When the Mailguard feature is turned off, the mail server generates a "500 Command unrecognized" response for invalid commands. However, when the Mailguard feature is turned on, the PIX firewall intercepts the invalid command because the firewall passes only the seven minimum SMTP commands. The PIX firewall responds with "OK" whether the command is valid or not.

By default, the PIX firewall blocks all outside connections from accessing inside hosts. Use the static, access-list, and access-group command statements to permit external access.

For more information about these commands, see The Cisco Command Reference.

For more information about how to configure the Cisco PIX firewall, see Cisco PIX Firewall Software Configuration Guides.

Other Products that Include SMTP Proxy Functionality

The following products include SMTP proxy features:

  • Watchguard Firebox

  • Checkpoint

  • Raptor

By default, the SMTP proxy functionality or SMTP filter functionality in these products is enabled. Therefore, you may experience the symptoms that are listed in the "Introduction" section.

For more information about these third-party products, see WatchGuard, Check Point, and Symantec.

Note

The third-party Web site information in this topic is provided to help you find the technical information you need. The URLs are subject to change without notice.