Skip Navigational Links
LISTSERV email list manager
LISTSERV - COMMUNITY.EMAILOGY.COM
LISTSERV Menu
Log In
Log In
LISTSERV 17.5 Help - LSTSRV-L Archives
LISTSERV Archives
LISTSERV Archives
Search Archives
Search Archives
Register
Register
Log In
Log In

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

Menu
LISTSERV Archives LISTSERV Archives
LSTSRV-L Home LSTSRV-L Home

Log In Log In
Register Register

Subscribe or Unsubscribe Subscribe or Unsubscribe

Search Archives Search Archives
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: the Cisco PIX firewall bug
From:
Xander Jansen <[log in to unmask]>
Reply To:
LISTSERV give-and-take forum <[log in to unmask]>
Date:
Fri, 4 May 2001 02:13:33 +0200
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (34 lines)
On Thu, 3 May 2001, Jacob Haller wrote:

+ If I recall correctly the SMTP proxy that is built into PIX firewalls
+ mishandles ESMTP transactions and it is that which is causing the
+ problem.  If this is the case disabling ESMTP for the domain in
+ question should stop the problem from happening.

Ah, that one might explain one of the PIX-problems I've seen lately. Some
other (or perhaps the same ?) ones one might run into:

http://www.postfix.org/faq.html#timeouts

"The Cisco PIX firewall has a bug when running software older than version
 5.2(4) or 6.0(1).

 The bug ID is CSCds90792. The "fixup protocol smtp" feature does not
 correctly handle the case where the "." and the "CRLF" at the end of mail
 are sent in separate packets."

And there is (was?) the one that happens when the greeting banner of the
mailer behind the PIX-proxy was folded over two lines but the continuation
line was completely substituted by asterisks, i.e.  without a "220 "
prefix (which was also replaced by asterisks). The workaround was at that
time to make the original greeting banner (on the proxied mailer) a
shorter oneliner so that the PIX wouldn't mess it up. This bug didn't
cause duplicates, the mail just couldn't be delivered because the sending
MTA (rightfully so) just choked on the bad response from the PIX.

Oh well, security by obscurity sometimes has nasty side-effects ;-)

Cheers,

Xander

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM CataList Email List Search Powered by LISTSERV