1. Home
  2. Cisco Systems
  3. PIX515 and email question

PIX515 and email question

Hi,

I am replacing our Firewall with a PIX515. The problem is: Old one was managed by our ISP, so I don't have much information about settings, but somehow it could authenticate our pop3 users so:

For smtp server all pop3 users had same ID and password located on old firewall I guess.

And for pop3 server they use their own active directory IDs.

Also we have a sun machine across the VPN connection that uses our mail server to send email.

So when we tested the 515 we got some issues with both pop3 users and sun machine stopped sending email, so I was wondering if I should do more settings on PIX box for relay/authenticate these users.

Right now I only mapped a public IP for exchange server and opened port 110 and 25 on that.

Thanks in advance for any comments.

Reply to
Rob
Loading thread data ...

In article , Rob wrote: :I am replacing our Firewall with a PIX515. The problem is: Old one was :managed by our ISP, so I don't have much information about settings, but :somehow it could authenticate our pop3 users so:

:For smtp server all pop3 users had same ID and password located on old :firewall I guess.

:And for pop3 server they use their own active directory IDs.

I'm not confident that I have interpreted correctly.

Is this authentication incoming, or outgoing?

If it is incoming, then what you need to know is that the PIX has no mechanism for authenticating incoming smtp or pop connections. It can only authenticate a small number of protocols which have authentication built in to the root protocol -- telnet, http, ftp, some degree of https.

For smtp, what you probably want to do is to turn *off* 'fixup smtp', and let your smtp server handle everything directly. The smtp fixup is pretty much on by default, but it restricts the conversation to a small number of standard RFC821 verbs, non of which have to do with authentication.

There is no pop3 fixup on the PIX: it is just going to pass all the pop3 data on to the pop3 server.

Reply to
Walter Roberson

Hi Rob

interesting solution :)

if i understand what you're saying, you are trying to use the pix as a proxy. I doubt that this will work. Although pix has a feature to tamper with layer7 protocols - smtp for example. I'd turn this fixup feature off for smtp and see if that helps.

cheers Adam

A: No. Q: Should I include quotations after my reply?

Reply to
Adam KOSA

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.