Pix 506 - Fixup SMTP
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||||||||
|
Posted by Christophe Pin on August 26, 2008, 5:30 am
Please log in for more thread options Hi all, Can anyone explain me what smtp fixup is usefull for ? When will I have to activate it, what will it change ? Sorry for this newbe questions thanks a lot -- _________________________________________ Now, you know the truth, Space Invaders are Back http://www.joachimgarraud.com L'invasion ne fait QUE commencer... | ||||||||||||||||||||||||||||
|
Posted by Scott Perry on August 26, 2008, 9:19 am
Please log in for more thread options Fixup is application level inspection. To enable "fixup protocol smtp", you are enforcing the use of only the common features of SMTP protocol. If an enhanced e-mail server is behind the firewall, perhaps it cannot achieve full functionality or even work properly with this feature enabled, so it is left off in those situations. E-mail servers conforming with the base SMTP standards benefit from the added application level protection of this feature. RFC 821 documents SMTP functions and has an example of the text transaction with the mail server when delivering an e-mail message. Keep in mind that this was developed before file attachments were common, so it looks like it handles plain text e-mail content. Formatting of text and file attachments are encoded into the text content. If your e-mail server works with "fixup protocol smtp" enabled, you might benefit from leaving it in place. If your e-mail server is not accepting some messages or not receiving e-mail, try turning it off - you are at least still behind a firewall with stateful packet inspection and traffic filtering access-lists. ----- Scott Perry Indianapolis, IN ----- | ||||||||||||||||||||||||||||
|
Posted by Christophe Pin on August 26, 2008, 9:32 am
Please log in for more thread options
Thanks a lot for all these details. :) -- _________________________________________ Now, you know the truth, Space Invaders are Back http://www.joachimgarraud.com L'invasion ne fait QUE commencer... 48b402c8$0$3711$39cecf19@news.twtelecom.net... > Fixup is application level inspection. To enable "fixup protocol smtp",
> you are enforcing the use of only the common features of SMTP protocol. > If an enhanced e-mail server is behind the firewall, perhaps it cannot > achieve full functionality or even work properly with this feature > enabled, so it is left off in those situations. E-mail servers conforming > with the base SMTP standards benefit from the added application level > protection of this feature. > RFC 821 documents SMTP functions and has an example of the text > transaction with the mail server when delivering an e-mail message. Keep > in mind that this was developed before file attachments were common, so it > looks like it handles plain text e-mail content. Formatting of text and > file attachments are encoded into the text content. > If your e-mail server works with "fixup protocol smtp" enabled, you might > benefit from leaving it in place. If your e-mail server is not accepting > some messages or not receiving e-mail, try turning it off - you are at > least still behind a firewall with stateful packet inspection and traffic > filtering access-lists. > > ----- > Scott Perry > Indianapolis, IN > ----- > >> Hi all,
>> >> Can anyone explain me what smtp fixup is usefull for ? >> When will I have to activate it, what will it change ? >> >> Sorry for this newbe questions >> >> thanks a lot >> >> -- >> _________________________________________ >> Now, you know the truth, Space Invaders are Back >> http://www.joachimgarraud.com >> L'invasion ne fait QUE commencer... >> >> >> >> >
> | ||||||||||||||||||||||||||||
|
Posted by Tilman Schmidt on August 26, 2008, 10:19 am
Please log in for more thread options
Christophe Pin schrieb: > Can anyone explain me what smtp fixup is usefull for ?
With "fixup smtp", the PIX will try to filter out SMTP commands and responses it thinks might be dangerous. This will effectively limit all SMTP connections passing through it to minimal old style SMTP and block all ESMTP extensions. > When will I have to activate it, what will it change ?
Personally I'd recommend to always disable it. In my experience it causes a lot of problems for no actual security improvement, and in certain circumstances even reduces security by blocking security relevant ESMTP extensions. HTH T. -- Please excuse my bad English/German/French/Greek/Cantonese/Klingon/... | ||||||||||||||||||||||||||||
|
Posted by Christophe Pin on August 26, 2008, 10:40 am
Please log in for more thread options
g913de$hp7$1@news.pironet-ndh.com... > Christophe Pin schrieb:
>> Can anyone explain me what smtp fixup is usefull for ?
>
> With "fixup smtp", the PIX will try to filter out SMTP commands and > responses it thinks might be dangerous. This will effectively limit > all SMTP connections passing through it to minimal old style SMTP > and block all ESMTP extensions. > >> When will I have to activate it, what will it change ?
>
> Personally I'd recommend to always disable it. In my experience it > causes a lot of problems for no actual security improvement, and > in certain circumstances even reduces security by blocking security > relevant ESMTP extensions. > > HTH > T. > > -- > Please excuse my bad English/German/French/Greek/Cantonese/Klingon/... Thank you, I well understand why this is made for. :) | ||||||||||||||||||||||||||||
| Similar Threads | Posted |
| Pix 506 - Fixup SMTP | August 26, 2008, 5:30 am |
| Fixup Clarification | December 17, 2005, 10:19 am |
| ASA has no 'fixup' on by default | June 23, 2006, 1:35 pm |
| Fixup protocol | August 3, 2006, 2:21 am |
| fixup protocol for http | July 13, 2005, 8:52 pm |
| PIX troubles H.323 even with fixup disabled | August 15, 2007, 9:12 am |
| outbound VPN access through PIX with fixup pptp | March 1, 2007, 7:37 pm |
| DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email | October 7, 2006, 6:47 pm |
| PIX / SMTP question - Help? | January 5, 2006, 10:04 am |
| PIX firewall 6.3 and SMTP | February 22, 2007, 6:37 pm |
| SMTP and tcp ports | April 30, 2008, 11:44 am |
| Blocking SMTP traffic | February 1, 2007, 5:22 am |
| Problems with pix firewall and SMTP | May 17, 2007, 11:59 am |
| ASA 5505 problem with smtp | May 5, 2008, 8:42 am |
| limit SMTP connection time | May 25, 2006, 10:50 am |
>
> Can anyone explain me what smtp fixup is usefull for ?
> When will I have to activate it, what will it change ?
>
> Sorry for this newbe questions
>
> thanks a lot
>
> --
> _________________________________________
> Now, you know the truth, Space Invaders are Back
> http://www.joachimgarraud.com
> L'invasion ne fait QUE commencer...
>
>
>
>