North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: disabling SMTP

  • From: Richard Welty
  • Date: Sun Mar 28 10:25:04 2004

On Sun, 28 Mar 2004 08:59:40 -0500 Rob Nelson <[email protected]> wrote:
> >yes. there are a lot of pix firewalls out there with smtp fixup turned on,
> >effectively disabling ESMTP (not to mention sporadically breaking
> >traditional SMTP.)

> Could you elaborate on this? I use PIX firewalls all over the place and 
> don't seem to have a problem with SMTP or ESMTP.

then you must have smtp fixup disabled.

when smtp fixup is on (default on many older pixes, i gather that there
may be some improvements on newer pixes), the smtp banner
is mostly obscured by * characters. the intent is a classic security
by obscurity play, to hide the type and verison of the MTA behind
the pix.

the problem is two fold:

1) it obscures so much of the banner that any ESMTP advertisement
in the banner is hidden, so the SMTP client doesn't know that it can
EHLO. for standards compliant MTAs, the result is a default to the
minimal SMTP standard mode of operation, and options such
as SMTP over TLS are never negotiated even when both the SMTP
client and server are "ready to go".

2) it turns out that the * obscurity ploy is badly done, and while it
hides enough of the banner to break ESMTP, it doesn't hide
enough of the banner to reliably obscure the MTA in use. even
if security by obscurity were a good idea (i, and many others,
maintain that it is not), broken security by obscurity is annoying
beyond belief.

on more than one occasion, i've had clients ask me to investigate
why they're having obscure problems with email transactions.
in many cases, i've found that telneting to port 25 on the SMTP
server end has produced the "wall of asterisks", and that having
them turn off smtp fixup on the pix invariably cures the problem.
it's sufficiently frequent that it's generally the first thing i check
for these days (it's also first because ruling it in or out is very
quick.)

richard
-- 
Richard Welty                                         [email protected]
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security