Recipe8.24.Making Exchange Work Behind a Cisco PIX Firewall

Previous page
Table of content
Next page

Recipe 8.24. Making Exchange Work Behind a Cisco PIX Firewall

Problem

You have a Cisco PIX firewall solution, and you want to make sure that you can send and receive SMTP mail from your Exchange server through it and want to ensure that it is configured to work properly with your Exchange deployment.

Solution

On the Cisco PIX, disable the MailGuard ("SMTP fixup") feature on the PIX firewall, which is on by default. Run the following command from the PIX command line:

no fixup protocol smtp 25

Discussion

While the Cisco PIX firewall is generally a capable firewall, the MailGuard SMTP proxy feature has long been a source of problems, not just for Exchange, but for SMTP servers in general. The MailGuard functionality works by acting as a semi-transparent proxy for incoming SMTP sessions. MailGuard replaces the outgoing connection banner with a characteristic string of asterisks. Note that even if you believe in the value of banner obfuscation, the PIX-provided banner is distinctive and will immediately alert any potential attacker to the nature of the protection you are using.

It also restricts the incoming SMTP verbs to HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. It will not allow any other verbs, even valid ESMTP verbs. This will break much of the higher-level SMTP functionality taken for granted in today's Internet:

  • SMTP authentication for clients.

  • The 8-bit MIME SMTP extension, to allow binary attachments to be transmitted without first requiring conversion to 7-bit ASCII and taking more bandwidth.

  • The ability to allow clients to retrieve spooled mail on an incoming connection (ETRN).

  • The SIZE extension, which permits an SMTP client to determine whether a given message will be too large for the recipient system without having to transmit the message and have it rejected.

  • Cross-organization SMTP connectors

These features are highly desirable in many organizations, so if you want any of them, you must rely on other methods to protect your Exchange server. If you don't want your Exchange server to talk directly to the Internet (and many Exchange administrators don't), your best approach is to deploy a dedicated border mail router system using a reliable, secure MTA package that contains support for the functionality you need.

Two such packages are Postfix and SendMail; both are fast, reliable mail routing packages with a variety of features that make them a perfect front-end for an Exchange organization. Additionally, both support LDAP directory lookups, which allow them to integrate better with your Exchange organization and reject mail for nonexistent recipients by using direct queries to Active Directory. They can also do lookups via the the NIS server capability in the Windows Services for Unix. Both packages can be run on a Windows server using the Cygwin Linux subsystem.

See Also

MS KB 275575 (Client SMTP Authentication Is Enabled, But Relay Does Not Work, Error Message: 550 No Relay Allowed), MS KB 295164 (SMTP Clients Receive Relaying Prohibited Error Message When Authenticated Relay Is Enabled), and MS KB 320027 (Cannot send or receive e-mail messages behind a Cisco PIX firewall)


Previous page
Table of content
Next page
Exchange Server Cookbook
Exchange Server Cookbook: For Exchange Server 2003 and Exchange 2000 Server
ISBN: 0596007175
EAN: 2147483647
Year: 2006
Pages: 235
Authors: Paul Robichaux, Missy Koslosky, Devin L. Ganger
BUY ON AMAZON
Java I/O
Cisco Voice Gateways and Gatekeepers
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
InDesign Type: Professional Typography with Adobe InDesign CS2
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy