On Thu, 3 May 2001, Jacob Haller wrote:

+ If I recall correctly the SMTP proxy that is built into PIX firewalls
+ mishandles ESMTP transactions and it is that which is causing the
+ problem.  If this is the case disabling ESMTP for the domain in
+ question should stop the problem from happening.

Ah, that one might explain one of the PIX-problems I've seen lately. Some
other (or perhaps the same ?) ones one might run into:

http://www.postfix.org/faq.html#timeouts

"The Cisco PIX firewall has a bug when running software older than version
 5.2(4) or 6.0(1).

 The bug ID is CSCds90792. The "fixup protocol smtp" feature does not
 correctly handle the case where the "." and the "CRLF" at the end of mail
 are sent in separate packets."

And there is (was?) the one that happens when the greeting banner of the
mailer behind the PIX-proxy was folded over two lines but the continuation
line was completely substituted by asterisks, i.e.  without a "220 "
prefix (which was also replaced by asterisks). The workaround was at that
time to make the original greeting banner (on the proxied mailer) a
shorter oneliner so that the PIX wouldn't mess it up. This bug didn't
cause duplicates, the mail just couldn't be delivered because the sending
MTA (rightfully so) just choked on the bad response from the PIX.

Oh well, security by obscurity sometimes has nasty side-effects ;-)

Cheers,

Xander