ESMTP / EHLO Commands Blocked
Brian
that hardware was not the same as mine, or the results were never posted. I
have called Cisco about this, but so far it has been two days and they don't
have an answer.
We have a 1720 router. Since enabling the firewall, mail comes through okay,
but the EHLO commands are getting stopped by the router. I can see that EHLO
is being replaced by a NOOP. Our email gateway vendor said this is a known
issue with Cisco PIX, but I'm not sure exactly what that is or how to fix
it. My other concern is that if we have to disable some sort of security to
make this work, what other problems will that expose us to?
Cisco's first suggestion was that we just use HELO. Unfortunately, we need
ESMTP working for certain abilities of our gateway to function.
Thanks
Brian
Rik Bain
Remove the ip inspect line that references SMTP. With it enabled, the
router will only allow RFC 821 SMTP commands.
Rik Bain
Walter Roberson
Brian <reply2me@thenewsgroup> wrote:
:We have a 1720 router. Since enabling the firewall, mail comes through okay,
:but the EHLO commands are getting stopped by the router. I can see that EHLO
:is being replaced by a NOOP. Our email gateway vendor said this is a known
:issue with Cisco PIX, but I'm not sure exactly what that is or how to fix
:it. My other concern is that if we have to disable some sort of security to
:make this work, what other problems will that expose us to?
:Cisco's first suggestion was that we just use HELO. Unfortunately, we need
:ESMTP working for certain abilities of our gateway to function.
Your message is not clear. You mention "the firewall", and
you mention the 1720 router, and you mention "PIX", but you left
it ambiguous as to whether you are using the Firewall Feature Set
on the 1720 or if you have installed a PIX.
If you installed a PIX, then configure it to
no fixup smtp 25
Doing so will allow all smtp to pass unchanged.
On the PIX, the smtp fixup refuses all but the core RFC 821 SMTP
commands, including refusing all ESMTP. The fixup also checks to ensure
that commands are not longer than a certain built-in length, in order
to prevent buffer overflow attacks.
The function of the smtp fixup is most easily understood historically:
at the time it was implimented, which was before ESMTP existed, there
were important sendmail exploits that used some of the less-used
commands. For some sites, rather than fix sendmail, it was easier to
block the problems at the firewall. Imagine a big business or a
university campus: it could take literally months to get all the
approvals to update the software on every affected system (if you could
do it at all, if you could -get- and afford a compiler for the system);
in the meanwhile, the problem could be eliminated by just blocking the
bad commands from hitting the systems.
Do you reduce security by turning off the smtp fixup? Yes, in a way.
The PIX smtp fixup is sort of like when you go to take an airplane and
the airline insists that everyone's carry-on cabin baggage all fits
within that small regulation-sized rectangle. It doesn't mean that it
is impossible to sneak through an attacking device in small pieces, but
it makes it *harder* and cuts way down on the possible attacks. No-one
could, for example, fit an Asian Elephant through the rectangle.... but
someone could still fit in an Attack Banana, so you still have to take
precautions.
The PIX smtp fixup is *a* layer of security. You need to evaluate your
setup to determine whether the benefits it offers are worth the costs.
Does your mail server software have a good security reputation? Have
you configured it as best possible to reduce damage if someone should
get through? Have you configured your mail server into a DMZ so that
even if someone should manage to take over the mail server computer
[e.g., via a virus, worm, or trojan], that it could not then be used to
compromise the rest of your network? Have you applied all the known
security patches for the OS of your mail server? All of these things
are important layers of security, and if you have done these then the
extra pre-flight checkin procedures of the PIX smtp fixup might not add
enough security to make it worthwhile for you.
--
Everyone has a "Good Cause" for which they are prepared to Spam.
-- Roberson's Law of the Internet
Steinar Haug
| We have a 1720 router. Since enabling the firewall, mail comes through okay,
| but the EHLO commands are getting stopped by the router. I can see that EHLO
| is being replaced by a NOOP. Our email gateway vendor said this is a known
| issue with Cisco PIX, but I'm not sure exactly what that is or how to fix
| it. My other concern is that if we have to disable some sort of security to
| make this work, what other problems will that expose us to?
You haven't stated clearly what kind of firewall you're using. However,
for both these types of firewalls:
- Cisco PIX with the "fixup protocol smtp" command
- Cisco routers with CBAC and "ip inspect name ... smtp"
it is explicitly documented that the SMTP "inspection", ie. the firewall
interpreting the actual SMTP commands to a limited degree, does *not* work
with ESMTP. See
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/df.htm#1067379
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdcbac.htm#1001087
Steinar Haug, Nethelp consulting, sth...@nethelp.no
Brian
> Remove the ip inspect line that references SMTP. With it enabled, the
> router will only allow RFC 821 SMTP commands.
That seems to have done it. In fact, I finally heard back from Cisco and
they told me the same thing. I really don't know anything about Cisco
routers, so I don't know the terms CBAC or PIX or whatever. To the others
who responded, that's why I couldn't be clear, sorry. Basically I didn't
know what I had, other than the model. Our ISP just said this is what we
should buy and they installed it for us.