SMTP Fixup problems

From Brandonhutchinson.com

Current revision

We were asked to investigate problems relaying mail from a certain IP. Looking through the MTA logs, we see:

Oct 10 11:47:19 hostname sendmail[26335]: l9AFlKNt026335: [10.207.1.42] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Oct 10 11:47:19 hostname sendmail[26335]: l9AFlKNt026335: timeout waiting for input from [10.207.1.42] during server cmd read

An ngrep capture reveals:

T 192.168.128.30:25 -> 10.207.1.42:2312 [AP]
  220 hostname.example.com ESMTP Wed, 10 Oct 2007 14:14:09 -0500..       

T 10.207.1.42:2312 -> 192.168.128.30:25 [AP]
  XXXX SBPMMAP100..                                                          

T 192.168.128.30:25 -> 10.207.1.42:2312 [AP]
  500 5.5.1 Command unrecognized: "XXXX SBPMMAP100".. 

A Cisco PIX between the host and our mail relay is performing SMTP inspection ("SMTP Fixup"). The SMTP inspection rule converts any "illegal" command--a command that is not listed in RFC 821--to "XXXX". In this case, the "illegal" command was EHLO.

The sending MTA apparently does not know how to handle a "500 5.5.1" response from our MTA, and keeps the connection open for one hour (default Timeout.command in sendmail). After one hour, our MTA closes the connection.

As a workaround, enable ESMTP inspection, or disable SMTP inspection. ESMTP inspection allows commands described in RFC 2821. Note that ESMTP inspection and SMTP inspection are mutually exclusive.

Links:

• Granular Protocol Inspection
• SMTP and ESMTP Connections Inspection with Cisco IOS Firewall Configuration Example
• SMTP fixup
• SMTP Fixup - On or Off?
• The case against SMTP Fixup