My Cisco ASA is mangling legitimate SMTP traffic

I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
SMTP traffic. Additionally, I have a rule the permits any traffic from
the mail server to the Internet.

My problem is that the firewall is behaving like a wise guy,
distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
followed by a sequential alphabetic letter.

Let's examine the dialogs telneting from server A to B, and then from
server B to A.

The following lines:

EHLO abc.com
250-postino.example.com Hello www.example.com [12.34.56.78], pleased
to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP

are transliterated into:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-XXXA
250-XXXB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-XXXXXXXXC
250 XXXD

While in the opposite direction the regular dialog:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

Becomes mutated into:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-XXXXXXXXA
250 XXXB

What is going on here?

Suggestions?

-Ramon

Re: My Cisco ASA is mangling legitimate SMTP traffic

On 6/5/2007 4:18 PM, Ramon F Herrera wrote:
> I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
> SMTP traffic. Additionally, I have a rule the permits any traffic
> from the mail server to the Internet.

I doubt that I even need to read the rest...

> My problem is that the firewall is behaving like a wise guy,
> distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
> followed by a sequential alphabetic letter.

Not owning or even working on one of these devices, I can't say for
sure, but...

> What is going on here?

Cisco is happening to you.

> Suggestions?

.... Others have said "Turn *OFF* SMTP fix up". Apparently, this is a
VERY common problem. Probably enough so that it should be part of the FAQ.



Grant. . . .

Re: My Cisco ASA is mangling legitimate SMTP traffic

On Jun 5, 6:04 pm, Grant Taylor wrote:
> On 6/5/2007 4:18 PM, Ramon F Herrera wrote:
>
> > I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
> > SMTP traffic. Additionally, I have a rule the permits any traffic
> > from the mail server to the Internet.
>
> I doubt that I even need to read the rest...
>
> > My problem is that the firewall is behaving like a wise guy,
> > distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
> > followed by a sequential alphabetic letter.
>
> Not owning or even working on one of these devices, I can't say for
> sure, but...
>
> > What is going on here?
>
> Cisco is happening to you.
>
> > Suggestions?
>
> ... Others have said "Turn *OFF* SMTP fix up". Apparently, this is a
> VERY common problem. Probably enough so that it should be part of the FAQ.
>
> Grant. . . .


Yeap, the problem was in this section:

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp <-- This line is dangerous!
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp

I removed the `inspect esmtp' line and the problem disappeared. I
wonder what else is being broken by those "fixups".

Thanks!

-Ramon

Re: My Cisco ASA is mangling legitimate SMTP traffic

On Jun 5, 6:04 pm, Grant Taylor wrote:
> On 6/5/2007 4:18 PM, Ramon F Herrera wrote:
>
> > I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
> > SMTP traffic. Additionally, I have a rule the permits any traffic
> > from the mail server to the Internet.
>
> I doubt that I even need to read the rest...
>
> > My problem is that the firewall is behaving like a wise guy,
> > distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
> > followed by a sequential alphabetic letter.
>
> Not owning or even working on one of these devices, I can't say for
> sure, but...
>
> > What is going on here?
>
> Cisco is happening to you.
>
> > Suggestions?
>
> ... Others have said "Turn *OFF* SMTP fix up". Apparently, this is a
> VERY common problem. Probably enough so that it should be part of the FAQ.
>
> Grant. . . .


Yeap, the problem was in this section:

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp <-- This line is dangerous!
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp

I removed the `inspect esmtp' line and the problem disappeared. I
wonder what else is being broken by those "fixups".

Thanks!

-Ramon

Re: My Cisco ASA is mangling legitimate SMTP traffic

On 6/5/2007 6:43 PM, Ramon F Herrera wrote:
> I removed the `inspect esmtp' line and the problem disappeared. I
> wonder what else is being broken by those "fixups".

Who knows...

> Thanks!

You are welcome. :)



Grant. . . .

Re: My Cisco ASA is mangling legitimate SMTP traffic

Ramon F Herrera writes:
> inspect esmtp <-- This line is dangerous!

>I removed the `inspect esmtp' line and the problem disappeared. I
>wonder what else is being broken by those "fixups".

The PIX/ASA has always been a bit wonky breaking SMTP left and right
when fixup smtp has been enabled. I'm not quite sure what they are
protecting isn't doing more harm than good. I don't see many PIXs my
way that ever have fixup smtp (or now fixup esmtp) turned on.

Re: My Cisco ASA is mangling legitimate SMTP traffic

Ramon F Herrera writes:
> inspect esmtp <-- This line is dangerous!

>I removed the `inspect esmtp' line and the problem disappeared. I
>wonder what else is being broken by those "fixups".

The PIX/ASA has always been a bit wonky breaking SMTP left and right
when fixup smtp has been enabled. I'm not quite sure what they are
protecting isn't doing more harm than good. I don't see many PIXs my
way that ever have fixup smtp (or now fixup esmtp) turned on.

Re: My Cisco ASA is mangling legitimate SMTP traffic

In article <1181078301.005625.129080@o11g2000prd.googlegroups.com>,
Ramon F Herrera wrote:

> I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
> SMTP traffic. Additionally, I have a rule the permits any traffic from
> the mail server to the Internet.
>
> My problem is that the firewall is behaving like a wise guy,
> distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
> followed by a sequential alphabetic letter.

Turn off SMTP 'fixup' on your misdesigned firewall.

Cisco does stupid stuff to SMTP. They cannot be trusted to handle your
mail, as they have years of track record showing that they do not
understand the protocol and have spent years telling their unfortunate
customers that what they do is some sort of fix. They have lied to you.

Consult your documentation or call Cisco to ask how to solve your
problem. It is NOT a Sendmail issue.

--
Now where did I hide that website...

Re: My Cisco ASA is mangling legitimate SMTP traffic

In article <1181078301.005625.129080@o11g2000prd.googlegroups.com>,
Ramon F Herrera wrote:

> I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
> SMTP traffic. Additionally, I have a rule the permits any traffic from
> the mail server to the Internet.
>
> My problem is that the firewall is behaving like a wise guy,
> distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
> followed by a sequential alphabetic letter.

Turn off SMTP 'fixup' on your misdesigned firewall.

Cisco does stupid stuff to SMTP. They cannot be trusted to handle your
mail, as they have years of track record showing that they do not
understand the protocol and have spent years telling their unfortunate
customers that what they do is some sort of fix. They have lied to you.

Consult your documentation or call Cisco to ask how to solve your
problem. It is NOT a Sendmail issue.

--
Now where did I hide that website...

Re: My Cisco ASA is mangling legitimate SMTP traffic

Doug McIntyre wrote:

> Ramon F Herrera writes:
>> inspect esmtp <-- This line is dangerous!
>
>>I removed the `inspect esmtp' line and the problem disappeared. I
>>wonder what else is being broken by those "fixups".
>
> The PIX/ASA has always been a bit wonky breaking SMTP left and right
> when fixup smtp has been enabled. I'm not quite sure what they are
> protecting isn't doing more harm than good. I don't see many PIXs my
> way that ever have fixup smtp (or now fixup esmtp) turned on.

It has been known for years that the *fixup protocol smtp' command in fact
means fu**up protocol smtp

Switching that option off is among the first things to do when configuring a
PIX.

Wolfgang

Re: My Cisco ASA is mangling legitimate SMTP traffic

Doug McIntyre wrote:

> Ramon F Herrera writes:
>> inspect esmtp <-- This line is dangerous!
>
>>I removed the `inspect esmtp' line and the problem disappeared. I
>>wonder what else is being broken by those "fixups".
>
> The PIX/ASA has always been a bit wonky breaking SMTP left and right
> when fixup smtp has been enabled. I'm not quite sure what they are
> protecting isn't doing more harm than good. I don't see many PIXs my
> way that ever have fixup smtp (or now fixup esmtp) turned on.

It has been known for years that the *fixup protocol smtp' command in fact
means fu**up protocol smtp

Switching that option off is among the first things to do when configuring a
PIX.

Wolfgang

Re: My Cisco ASA is mangling legitimate SMTP traffic

Ramon F Herrera schrieb:
> Yeap, the problem was in this section:
>=20
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp <-- This line is dangerous!
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> inspect icmp
>=20
> I removed the `inspect esmtp' line and the problem disappeared. I
> wonder what else is being broken by those "fixups".

For example:
- We are deploying H.323 based videoconferencing and Cisco's H323 "fixup"=

wreaks havoc with that, too.
- We regularly see trouble with the default "fixup protocol dns maximum-l=
ength 512"
which is way too small.

--=20
Tilman Schmidt t.schmidt@phoenixsoftware.de
Phoenix Software GmbH www.phoenixsoftware.de
Adolf-Hombitzer-Str. 12 Amtsgericht Bonn HRB 2934
53227 Bonn, Germany Geschäftsführer: W. Gri=
eßl

Re: My Cisco ASA is mangling legitimate SMTP traffic

Ramon F Herrera schrieb:
> Yeap, the problem was in this section:
>=20
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp <-- This line is dangerous!
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> inspect icmp
>=20
> I removed the `inspect esmtp' line and the problem disappeared. I
> wonder what else is being broken by those "fixups".

For example:
- We are deploying H.323 based videoconferencing and Cisco's H323 "fixup"=

wreaks havoc with that, too.
- We regularly see trouble with the default "fixup protocol dns maximum-l=
ength 512"
which is way too small.

--=20
Tilman Schmidt t.schmidt@phoenixsoftware.de
Phoenix Software GmbH www.phoenixsoftware.de
Adolf-Hombitzer-Str. 12 Amtsgericht Bonn HRB 2934
53227 Bonn, Germany Geschäftsführer: W. Gri=
eßl

Re: My Cisco ASA is mangling legitimate SMTP traffic

* Bill Cole wrote:
> In article <1181078301.005625.129080@o11g2000prd.googlegroups.com>,
> Ramon F Herrera wrote:
>
>> I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
>> SMTP traffic. Additionally, I have a rule the permits any traffic from
>> the mail server to the Internet.
>>
>> My problem is that the firewall is behaving like a wise guy,
>> distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
>> followed by a sequential alphabetic letter.
>
> Turn off SMTP 'fixup' on your misdesigned firewall.
>
> Cisco does stupid stuff to SMTP. They cannot be trusted to handle your
> mail, as they have years of track record showing that they do not
> understand the protocol and have spent years telling their unfortunate
> customers that what they do is some sort of fix. They have lied to you.
>
> Consult your documentation or call Cisco to ask how to solve your
> problem. It is NOT a Sendmail issue.
>
Yep, Shisco happens.

Re: My Cisco ASA is mangling legitimate SMTP traffic

* Bill Cole wrote:
> In article <1181078301.005625.129080@o11g2000prd.googlegroups.com>,
> Ramon F Herrera wrote:
>
>> I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
>> SMTP traffic. Additionally, I have a rule the permits any traffic from
>> the mail server to the Internet.
>>
>> My problem is that the firewall is behaving like a wise guy,
>> distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
>> followed by a sequential alphabetic letter.
>
> Turn off SMTP 'fixup' on your misdesigned firewall.
>
> Cisco does stupid stuff to SMTP. They cannot be trusted to handle your
> mail, as they have years of track record showing that they do not
> understand the protocol and have spent years telling their unfortunate
> customers that what they do is some sort of fix. They have lied to you.
>
> Consult your documentation or call Cisco to ask how to solve your
> problem. It is NOT a Sendmail issue.
>
Yep, Shisco happens.