SMTP Fixup problems

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(New page: We were asked to investigate problems relaying mail from a certain IP. Looking through the MTA logs, we see: Oct 10 11:47:19 hostname sendmail[26335]: l9AFlKNt026335: [10.207.1.42] did n...)
Line 15: Line 15:
500 5.5.1 Command unrecognized: "XXXX SBPMMAP100"..
500 5.5.1 Command unrecognized: "XXXX SBPMMAP100"..
-
A Cisco PIX between the host and our mail relay is using "SMTP Fixup" to convert the valid EHLO into "XXXX".
+
A Cisco PIX between the host and our mail relay is performing SMTP inspection ("SMTP Fixup"). The SMTP inspection rule converts any "illegal" command--a command that is not listed in RFC 821--to "XXXX".
 +
 
 +
The sending MTA apparently does not know how to handle a "500 5.5.1" response from our MTA, and keeps the connection open for one hour (default ''Timeout.command'' in sendmail). After one hour, our MTA closes the connection.
 +
 
 +
As a workaround, enable ESMTP inspection, or disable SMTP inspection. ESMTP inspection allows commands described in [http://www.faqs.org/rfcs/rfc2821.html RFC 2821].
Links:
Links:
 +
* [http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad3.html Granular Protocol Inspection]
 +
* [http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008064730a.shtml SMTP and ESMTP Connections Inspection with Cisco IOS Firewall Configuration Example]
* [http://chris-linfoot.net/d6plinks/CWLT-6F6LHT SMTP fixup]
* [http://chris-linfoot.net/d6plinks/CWLT-6F6LHT SMTP fixup]
* [http://news.umailcampaign.com/message/86624.aspx SMTP Fixup - On or Off?]
* [http://news.umailcampaign.com/message/86624.aspx SMTP Fixup - On or Off?]
* [http://tinyurl.com/47wsg The case against SMTP Fixup]
* [http://tinyurl.com/47wsg The case against SMTP Fixup]

Revision as of 22:10, 10 October 2007

We were asked to investigate problems relaying mail from a certain IP. Looking through the MTA logs, we see:

Oct 10 11:47:19 hostname sendmail[26335]: l9AFlKNt026335: [10.207.1.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Oct 10 11:47:19 hostname sendmail[26335]: l9AFlKNt026335: timeout waiting for input from [10.207.1.42] during server cmd read

An ngrep capture reveals:

T 192.168.128.30:25 -> 10.207.1.42:2312 [AP]
  220 hostname.example.com ESMTP Wed, 10 Oct 2007 14:14:09 -0500..       

T 10.207.1.42:2312 -> 192.168.128.30:25 [AP]
  XXXX SBPMMAP100..                                                          

T 192.168.128.30:25 -> 10.207.1.42:2312 [AP]
  500 5.5.1 Command unrecognized: "XXXX SBPMMAP100".. 

A Cisco PIX between the host and our mail relay is performing SMTP inspection ("SMTP Fixup"). The SMTP inspection rule converts any "illegal" command--a command that is not listed in RFC 821--to "XXXX".

The sending MTA apparently does not know how to handle a "500 5.5.1" response from our MTA, and keeps the connection open for one hour (default Timeout.command in sendmail). After one hour, our MTA closes the connection.

As a workaround, enable ESMTP inspection, or disable SMTP inspection. ESMTP inspection allows commands described in RFC 2821.

Links:

Personal tools