Tuesday, June 17, 2008

MS Exchange SMTP behind Cisco PIX : Mailguard of DOOM

I'm by no means an expert in Cisco PIX, but I've had my fair share of success troubleshooting random problems with them.

In this episode... My MS Exchange Server 2007 box has been happily humming away for the last few weeks, SMTP for POP users is served up from behind a Cisco PIX 515e. However something bad happened... something very bad.

Just recently I discovered a bunch of users (including myself) could no longer connect to the SMTP server, while other users could. After hours of painstaking troubleshooting, it was nailed down to a problem with the PIX.. a little more research lead to a little security feature from Cisco named Mailguard. Also note that Mailguard can also have adverse affects to POP3 communications when using windows integrated authentication.

Mailguard's role is to check for dodgy connections or non-standard SMTP commands and drop them, basically shielding the SMTP service on the host behind the PIX. In theory great, in practice with Microsoft Exchange servers... not so great.

Don't ask me how Mailguard (SMTP port 25 inspection) became enabled, when it was ever so clearly not enabled for the last few weeks, but this is how it was resolved:

You may have read on lots of posts on the Internet about running the following command:

# no fixup protocol smtp 25

That command didn't resolve our problem, mailguard was still actively dropping connections and or visible via the XXXXXXXXXXXXXXXXXX that appeared when you telnet into port 25 (if we were lucky enough to find a machine which could telnet as Mailguard also outright refuses connections in certain cases).

The trick was to manually remove the esmtp inspections, as I couldn't do it via the ADSM gui.

These steps are what worked for me, however you may need to verify the names of your policies:

# conf t
# policy-map global-policy
# class global-class
# no inspect esmtp

Save that to your startup configuration and your set.

A quick telnet test was all the proof you'll need to know if Mailguard is disabled. You will see the real Microsoft Exchange SMTP banner instead of the XXXXXXXXXX.

Posted by at
Labels: , , , , , ,

1 comment:

Email archiving software said...

Pretty simple and helpful. Thanks!

December 21, 2012 at 1:53 AM

Post a Comment

Subscribe to: Post Comments (Atom)