Pix 506 - Fixup SMTP

Fixup is application level inspection. To enable "fixup protocol smtp", you are enforcing the use of only the common features of SMTP protocol. If an enhanced e-mail server is behind the firewall, perhaps it cannot achieve full functionality or even work properly with this feature enabled, so it is left off in those situations. E-mail servers conforming with the base SMTP standards benefit from the added application level protection of this feature. RFC 821 documents SMTP functions and has an example of the text transaction with the mail server when delivering an e-mail message. Keep in mind that this was developed before file attachments were common, so it looks like it handles plain text e-mail content. Formatting of text and file attachments are encoded into the text content. If your e-mail server works with "fixup protocol smtp" enabled, you might benefit from leaving it in place. If your e-mail server is not accepting some messages or not receiving e-mail, try turning it off - you are at least still behind a firewall with stateful packet inspection and traffic filtering access-lists.

----- Scott Perry Indianapolis, IN

-----

"Christophe Pin" wrote in message news:48b3cd3b$0$26562$ snipped-for-privacy@news.free.fr...

Thanks a lot for all these details.

:)

Christophe Pin schrieb:

With "fixup smtp", the PIX will try to filter out SMTP commands and responses it thinks might be dangerous. This will effectively limit all SMTP connections passing through it to minimal old style SMTP and block all ESMTP extensions.

Personally I'd recommend to always disable it. In my experience it causes a lot of problems for no actual security improvement, and in certain circumstances even reduces security by blocking security relevant ESMTP extensions.

HTH T.

"Tilman Schmidt" a écrit dans le message de news: g913de$hp7$ snipped-for-privacy@news.pironet-ndh.com...

Thank you, I well understand why this is made for. :)

Expanding a little:

There was a time when mail servers (unix sendmail, or microsoft's product) were not designed with security as a priority. sendmail was designed at a time when mail was small scale and only used between friendly sites; Microsoft's product was designed at Microsoft (need I say more?). As is usual when something is not designed for security, it was more common than not for the mail servers to have security holes that got discovered and exploited as mail went more "mass market". Systems administrators in those days also were not as security conscious or as quick to react to security threats. And, to be honest, there was a period when one security problem would be found in sendmail and fixed and then not so long afterwards another big security problem would be found in it. There was, in other words, an age in which one could not trust one's mail server to be reasonably secure.

The PIX "fixup smtp" was designed in that era, when mail was needed but the mail servers themselves could not be trusted. Most of the exploits in those days had to do with non-essential SMTP commands or with deliberately mal-formed SMTP commands. The response from the PIX team was to design a filter that rejected non-essential SMTP commands, hid SMTP version numbers, and checked that the commands were not mal-formed. Only essential SMTP with the right format would be allowed into the mail server; then if the mail server happened to have one of the then-known exploits (or any future exploit of the same general kind) then it would not be possible to trigger the exploit, thus protecting the server.

These days, the major mail servers have been designed with security in mind. Security problems are still found with some of them, but not nearly as often, and people get notified of the problems more reliably -- and there are SMTP servers such as Dan Bernstein's that are fast and quite secure (perhaps not as flexible as some of the magic a hand-crafted sendmail configuration could do, but most people don't want or need such capabilities.) If one takes reasonable care with the choice of one's SMTP server, then the added security of the PIX "fixup smtp" doesn't actually add anything and instead ends up disabling functionality, performance, and security enhancements possible with ESMTP. If one has a decent SMTP server and receives a fair volume of mail, the "fixup smtp" should likely be disabled. If one has a low-volume home server of unknown quality, one might want to have the smtp fixup enabled.