Some emails are not being sent from an Exchange Server behind a Cisco PIX or Cisco ASA firewall

On Cisco firewalls (PIX or the newer ASA), various protocol inspection engines are available. Generally, they assist in tracking connections of IP traffic through the firewall. That is, for a protocol such as FTP various additional TCP connections are made alongside the original connection, and the firewall needs to know to allow these through. The inspection engines perform simple analysis of traffic to watch for and set up these so-called pinhole ports, on demand.

Trouble is, some of the inspection engines have suffered feature creep and now try to work out, I guess, the semantics of the exchange taking place. If the engine thinks the conversation contains “illegal” requests, it’s blocked.

In particular the SMTP inspection engine (also known as a fixup in the Cisco docs) is fairly notorious for messing about with email transfer and preventing successful delivery. At best you might experience mysteriously missing attachments, at worst the remote server simply sees a TCP connection reset and has no idea why delivery failed.

Here’s how to tell if your Cisco firewall is interfering with your mail server’s operation. Telnet to the mail server (we assume the firewall sits in front of it) on the standard port of 25, and look at the “banner” response. On a regular mail server the banner looks something like this:

host:~$ telnet oxmail.ox.ac.uk 25
Trying 129.67.1.161...
Connected to oxmail.ox.ac.uk.
Escape character is '^]'.
220 relay0.mail.ox.ac.uk ESMTP Exim 4.69 Thu, 26 Nov 2009 19:28:51 +0000

However on an affected server, the banner is noticeably different:

host:~$ telnet suspectserver.example.com 25
Trying 192.0.2.1...
Connected to suspectserver.example.com.
Escape character is '^]'.
220 *****************************************************************************

Disabling the SMTP fixup (which is on by default, I believe) enables mail to flow as it should. I recommend you do this on any PIX or ASA devices in your network.

Note that the fixup seems to interfere with email going through the firewall in both directions, and problems occur regardless of the mail server software being used in the communication (after all, all servers are speaking the same SMTP protocol language).

To turn off the Mailguard feature of the PIX or ASA firewall:  

  1. Log on to the PIX or ASA firewall by establishing a telnet session or by using the console.
  2. Type enable, and then press ENTER.
  3. When you are prompted for your password, type your password, and then press ENTER.
  4. Type configure terminal, and then press ENTER.
  5. Type no fixup protocol smtp 25, and then press ENTER.
  6. Type write memory, and then press ENTER.
  7. Restart or reload the PIX or ASA firewall.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s