RE:Exchange Server 2000 and Cisco Pix

["Payne, Patrick" <Patrick.Payne () Select com>]

To disable SMTP inspection in recent PIX firewalls (version 4.2+),  you
would use the "no" form of the fixup command: "no fixup protocol smtp".  
In earlier PIX firewalls (older than 4.1) this was called the Mailguard
feature and was implemented with the "mailhost" command.  In these firewalls
simply remove the mailhost command and use a standard static/conduit pairing
to open up SMTP access.

However, be warned that this will disable the PIX firewall's capability to
filter ESMTP commands.  When fixup is enabled the PIX will only permit the
basic SMTP commands specified in RFC 821 to reach your mail server.
Anything else is answered by the PIX with the "500 command unrecognized
message" to the client and then the PIX sends the server an altered SMTP
packet with xxxx in place of the actual command.  ESPTM (RFC 1869) is
filtered because it may allow some fairly powerful commands to be executed
on your mail server that are unecessary for typical internet email exhanges.
Someone else may be able to elaborate on the risk of allowing ESMTP, but one
example is the VRFY command which will tell the client whether a user
account actually exists on the server and sometimes replies with the user's
full name.

Also, if someone telnets to your mail server, they are usually greeted with
a banner that gives them information about the type and version of the mail
software you are running.  Fixup filters this response so that this
information is replaced with asterisks.

I'm not very familiar with Exchange but if you do remove the fixup command,
I would recommend taking steps to tune your server.  For instance, you may
want to see if you can change the banner and also limit what ESMTP commands
the server will support.

Pat Payne
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards