Cannot send or receive e-mail messages behind a Cisco PIX or Cisco ASA firewall

Cannot send or receive e-mail messages behind a Cisco PIX or Cisco ASA firewall


Symptoms

You may experience one or more of the following behaviors: 
  • You cannot receive Internet-based e-mail messages.
  • You cannot send e-mail messages with attachments.
  • You cannot establish a telnet session with the Microsoft Exchange server on port 25.
  • When you send an EHLO command to the Exchange server, you receive a "Command unrecognized" or an "OK" response.
  • You cannot send or receive mail on specific domains.
  • Problems with Post Office Protocol version 3 (POP3) authentication - 550 5.7.1 relaying denied from local server.
  • Problems with duplicate e-mail messages being sent (sometimes five to six times).
  • You receive duplicate incoming Simple Mail Transfer Protocol (SMTP) messages.
  • Microsoft Outlook clients or Microsoft Outlook Express clients report an 0x800CCC79 error when trying to send e-mail.
  • There are problems with binary mime (8bitmime). You receive the following text in a non-delivery report (NDR):
    554 5.6.1 Body type not supported by Remote Host.
  • There are problems with missing or garbled attachments.
  • There are problems with the link state routing between routing groups when a Cisco PIX or Cisco ASA firewall device is between the routing groups.
  • The X-LINK2STATE verb is not passed.
  • There are authentication problems between servers over a routing group connector.

Cause

This issue may occur in the following situation: 
  • The Exchange server is placed behind a Cisco PIX or Cisco ASA firewall device.

    -and-
  • The PIX or ASA firewall has the Mailguard feature turned on.
  • The Auth and Auth login commands (Extended Simple Mail Transfer Protocol [ESMTP] commands) are stripped by the firewall, and this makes the system think that you are relaying from a non-local domain.
To determine whether Mailguard is running on your Cisco PIX or Cisco ASA firewall, Telnet to the IP address of the MX record, and then verify whether the response looks similar to the following:
220*******************************************************0*2******0***********************
2002*******2***0*00 

Old versions of PIX or ASA:

220 SMTP/cmap_________________________________________ read
For more information, visit the following Cisco Web sites: Note If you have an ESMTP server behind the PIX or ASA firewall, you may have to turn off the Mailguard feature to permit mail to flow correctly. Also, establishing a Telnet session to port 25 may not work with the fixup protocol smtp command, especially with a Telnet client that uses character mode.

Note Besides the Cisco PIX or Cisco ASA firewall, there are several firewall products that have SMTP Proxy capabilities that may produce the issues that are mentioned earlier in this article. The following is a list of firewall manufacturers whose products have SMTP Proxy features:
  • Watchguard Firebox
  • Checkpoint
  • Raptor

Resolution

Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Note A firewall is designed to help protect your computer from attack by malicious users or by malicious software such as viruses that use unsolicited incoming network traffic to attack your computer. Before you disable your firewall, you must disconnect your computer from all networks, including the Internet.

To resolve this issue, turn off the Mailguard feature of the PIX or ASA firewall. 

Warning If you have an ESMTP server behind the PIX or ASA, you may have to turn off the Mailguard feature to make it possible for mail to correctly flow. If you use the Telnet command to port 25, this may not work with the fixup protocol smtp command, and this is more noticeable with a Telnet client that performs character mode.

To turn off the Mailguard feature of the PIX or ASA firewall:  
  1. Log on to the PIX or ASA firewall by establishing a telnet session or by using the console.
  2. Type enable, and then press ENTER.
  3. When you are prompted for your password, type your password, and then press ENTER.
  4. Type configure terminal, and then press ENTER.
  5. Type no fixup protocol smtp 25, and then press ENTER.
  6. Type write memory, and then press ENTER.
  7. Restart or reload the PIX or ASA firewall.

Comments

Popular posts from this blog

Download IOS Image for Router

tcpdumps in Checkpoint Firewall