1. Home
  2. Networking Firewalls
  3. SMTP Fixup -- On or Off???

SMTP Fixup -- On or Off???

We've been experiencing some issues with receiving mail from an on-line survey company (ZARCA). Up to a third of the messages are bounced with the "unknown user" response. The funny thing is, there are no log entries on our mail exchangers indicating that the bounced emails ever hit the servers, and there are no log entries for the DSNs that are apparently being sent back to ZARCA. After a month with dealing with ZARCA they have yet to produce the DSNs so that we can verify where they are coming from. There solution is to open our mail exchangers to relay mail from their domain/mail server.

Our SPAM solution provider (Canit) says to shut off the SMTP fixup option on our Cisco PIX 525 firewall. From what I've read on-line, a lot of sites are turning this option off, however our network administrator is against doing this and feels that it is a substantial security risk.

Is shutting off the SMTP fixup option a large security risk? Larger or smaller than opening up a relay to the ZARCA mail server?

Thanks, Mike

Reply to
papem
Loading thread data ...

Correct. This so-called ?option? is a known laughing stock. It basically screws up all SMTP connections, without really getting of value in return. It's just pure luck that some SMTP sessions manage to complete succesfully, despite Cisco's best efforts otherwise.

Fire your network administrator, for incompetence, and hire someone who knows what he's doing.

No. Do you even know what this ?SMTP fixup option? really does?

Reply to
Sam

Hi, Mike.

(I'm the CanIt guy... :-)

I think the other responses to your question pretty much back up our position. Cisco's "SMTP fixup" option is disruptive, invasive, badly thought-out, badly implemented, irritating, and useless from a security perspective.

Regards,

David.

Reply to
David F. Skoll

Turn off the fixup and get a competent network administrator.

Reply to
ynotssor

ynotssor, I agree with you completely. And while you're at it, get a competent firewall.

Reply to
Munpe Q

Read the response of Walter Roberson in this thread

The folks at CanIt are correct

John

Reply to
John Mason Jr

The only thing I know about the 'fixup protocol smtp' feature of Cisco PIX is that it cripples SMTP connectivity without offering any real security advantages. Turning it off will be no security risk at all. Blocking all connections to port 25 (except to your mail servers of course) is far more useful.

Reply to
Marco Senft

The cisco PIX fixup protocol smtp command has been

a) a constant source a of problems b) of no security value

for years. It is commonly known as 'f*ck*p protocol smtp' and disabling it is the usual solution.

Wolfgang

Reply to
Wolfgang Kueter

no fixup protocol smtp 25

is unsually amongst the first commands after unpacking a PIX and connecting the console cable to the device. The line is usually included in any PIX configuration template ...

Wolfgang

Reply to
Wolfgang Kueter

In article , David F. Skoll wrote: :I think the other responses to your question pretty much back up :our position. Cisco's "SMTP fixup" option is disruptive, invasive, :badly thought-out, badly implemented, irritating, and useless from :a security perspective.

A small anecdote on the way to a point:

We got joe-jobbed a few weeks ago on a major spam run (the replica watches one). 67000 bounce messages to us over 36 hours, mostly for accounts that no longer existed, so you can figure that the run was probably pretty close to a million pieces when it went out. My hand-crafted sendmail anti-spam measures (which spawn about 8 different perl processes per message) couldn't keep up, so I had to replace sendmail with qmail and have all nearly all incoming messages dumped into a pool for later sorting. Had to develop sorting tools too, sigh.

The PIX smtp 'fixup' would not have helped nor hindered this spam bounce run, as each of the bounce messages was RFC822 compliant.

Anyhow, after spending a few days developing sorting tools to extract the useful messages from the slush (and it did so happen that we received an unusually high number of useful messages that day), I happened to notice that one of the messages we received was entitled "I love you". [We've seen at least three more of those since then.]

That is to say, there are still systems out there that are infected with the "I love you" virus... a virus that was current in May 2000.

Now, as far as I know, Cisco's STMP fixup doesn't protect you against the "I love you" virus, but what it does protect you against is attacks of roughly the same genre -- it protects you against attacks that no-one has bothered to undertake seriously for years because the underlying bugs to be exploited were patched years and years ago.

But, hey, if your mail server hasn't had a software upgrade since 1989, then the "smtp fixup" could be useful in protecting you from viruses kept alive in fourth-world backwoods where operating systems haven't been upgraded or secured since Windows 95.

Why are such systems on the 'net? Well it wasn't long ago at all (mere weeks) that we had someone in one of the security newsgroups who claimed to be an expert in MS security, who used a MS version pretty much that old, on the basis that he knew what he was getting into, and that software that old was less likely to be targetted for new exploits than the now much more common Windows XP.

And truth to tell, I find it difficult to recommend to my relatives that they upgrade from Windows ME to XP -- they'd need to buy a faster computer (which they don't have the money for), and they don't have any use for the newer facilities introduced in W2K or XP... it'd be strictly an expensive upgrade to patch security holes.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.