1. Home
  2. Cisco Systems
  3. SSL Email SLOW sending through PIX

SSL Email SLOW sending through PIX

Hey everyone,

I've got a PIX 506 that seems to be having trouble allowing SSL email (ports

995 and 465) through. It DOES send eventually, but I had to crank the timeouts up to 3 minutes in Outlook.

Now, I thought I opened everything that I would need on the PIX, and like I said, it IS working.....just extremely slow. Receive is immediate, Send is delayed.

Has anyone ever seen this? The 506 is running 6.3(5). Below is the relevant part of the config. Am I missing something? Thanks, Mike.

fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names object-group service SSL_email tcp description So that SSL mail sends and receives port-object range 995 996 port-object range 465 466 object-group network Mailserver network-object 69.X.X.X 255.255.255.255 access-list mail_send_out remark Let mail server in to send messages access-list mail_send_out permit tcp any object-group Mailserver object-group SSL_email access-list mail_send_out permit tcp any any eq 465 access-list mail_send_out permit tcp any any eq 995 access-group mail_send_out in interface outside

Reply to
Mike W.
Loading thread data ...

Is it possible that it's the old IDENT (TCP 113) issue? Also, is reverse DNS lookup configured for the IP address that the hosts will appear as to the mailserver ?

That would normally be

network-object host 69.X.X.X and the PIX would normally convert the 255.255.255.255 form to 'host' upon output, which suggests that you are showing us your master configuration instead of what is actually on the PIX.

That doesn't let the mail server in, that lets random machines in to contact the public IP 69.X.X.X which presumably has an inside presence.

Destination Mailserver is a subset of "any" so the above two lines are partial supersets of the one with SSL_email .

I'm not completely sure whether the mailserver is inside or outside?

Reply to
Walter Roberson

No idea on the reverse DNS, so I would say the answer is no....

Sorry...a little more info would probably help.

The mailserver is external....3rd party hosted. It's a *Nix box running Exim. It is set to only allow connections over SSL, ports 465 and 995.

The line I pasted in IS directly from the PIX show conf: network-object

69.182.173.180 255.255.255.255 Is that part of the problem?

Does that help? Can you show me what I would need to add to let the external server send and receive mail to any machine on say, the internal

192.168.1.0 subnet? I don't even get why it's having trouble in the first place. The PIX is otherwise a standard (out of the box) setup. Thus, any connections initiated on the inside should be allowed out, and the response traffic back in, no? This is driving me nuts!
Reply to
Mike W.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.