1. Home
  2. Cisco Systems
  3. Pix translates SMTP connect messages into "****"

Pix translates SMTP connect messages into "****"

Hello,

we just noticed that our Pix 515 with OS 7.1.1 translates SMTP startup banners into asterisks. E.g.:

router0>telnet mailin-02.mx.aol.com 25 Translating "mailin-02.mx.aol.com"...domain server (192.129.30.4) [OK] Trying mailin-02.mx.aol.com (205.188.155.89, 25)... Open

220-rly-yb02.mx.aol.com ESMTP mail_relay_in-yb2.1; Fri, 23 Jun 2006 15:47:09

-04

00 220-America Online (AOL) and its affiliated companies do not 220- authorize the use of its proprietary computers and computer 220- networks to accept, transmit, or distribute unsolicited bulk 220- e-mail sent from the internet. Effective immediately: AOL 220- may no longer accept connections from IP addresses which 220 have no reverse-DNS (PTR record) assigned.

Now from a host behind the Pix:

Trying... Connected to MAILIN-02.MX.AOL.COM.

220-**************************************************************************** ** 220-******************************************************** 220-**************************************************************** 220-***************************************************************** 220-***************************************************************** 220-************************************************************** 220 ***********************************************

What does this mean? Bug or feature? Can it be disabled?

Even worse: V7.2.1 of the Pix software has a bug so that the last "220 " is missing.

Regards, Christoph Gartmann

Reply to
Christoph Gartmann
Loading thread data ...

PIX has done that for a -long- time -- for connections to internal SMTP servers.

Feature. It is intended to protect against the system leaking information about its configuration that might make it easier to exploit the smtp. (SMTP servers often name the program name and version; if you get a banner that indicates a program version known to be exploitable, you know immediately how to attack it.)

On the other hand, in PIX 6, it did not occur for outgoing smtp, not unless you had accidently reversed the security levels of the interfaces.

Turn off the 'inspect' for smtp on the outside interface.

Reply to
Walter Roberson

Ok, but in our case it is the other way round. If we initiate a SMTP connection to the WAN we don't see the startup banner but the asterisks. We didn't notice this until we upgraded to V7.2.1 and were no longer able to transfer mail to host with a multiline SMTP banner.

Thanks, it was part of the policy applied to the outside interface ("inspect esmtp").

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.