Thanks Jacob! This helps alot.

Tim


-----Original Message-----
From: Jacob Haller [mailto:[log in to unmask]]
Sent: Thursday, May 03, 2001 1:06 PM
To: [log in to unmask]
Subject: Re: the Cisco PIX firewall bug


>Every once in a while we run into a user who claims we're mailbombing
>them, and invariably it's a Cisco PIX firewall, as outlined in the
>support FAQ.

(Specifically http://www.lsoft.com/manuals/lsv-faq.stm#5.6a for those
who don't know what we're talking about.)

>Unfortunately, the onus generally rests on us, as to why are we are
>"letting" our listserv & lsmtp servers do this.
>Is there *anything* we can do on our end to proactively prevent this
>situation from occurring? I'd love to hear that there was a patch for
>LSMTP or LISTSERV that will allow the servers to work around the problem
>when many asterisks are recognized in the SMTP banner.
>
>All I can do on my end is disable any further mail to that domain until
>the admin gets their stuff together. Which is rare, and I'm not in a
>position to push them around.
>
>Any info would be appreciated.
>
>Thanks,
>Al Iverson

If I recall correctly the SMTP proxy that is built into PIX firewalls
mishandles ESMTP transactions and it is that which is causing the
problem.  If this is the case disabling ESMTP for the domain in
question should stop the problem from happening.  Here's how you'd do
it.

1) From the LSMTP Control program, click on Configure.

2) Click on SMTP Destinations tab. Usually the site in question will
not be listed, so click on ADD. Enter the Domain name of the site
(e.g. example.com). There are several lines below this with various
parameters filled in. The very bottom line however ('Mailer entry
name...') will be blank. Enter the domain name here again (e.g.
example.com) and click OK.

3) Click the Mailers tab. There are 2 windows. In the upper window,
click on ADD. For 'Mailer name' enter the same domain name as you put
in the bottom line in the previous (SMTP Destinations) box. (e.g.
example.com). Now there are several sub-tabs. The one you want is the
"Protocal" tab.  Uncheck the "Use the EHLO command..." box.  Then
click OK and OK again. LSMTP will reload the configuration
automatically so it should not be necessary to do any stopping and
restarting.  (I'm not sure this will affect entries currently in the
queue, however, so you may have to manually remove existing queue
entries for the affected site.)

I generally wouldn't recommend disabling ESMTP for all servers, since
that will reduce performance.  (LSMTP uses standard ESMTP features
like pipelining to speed up mail transactions.)

You should still notify the subscriber of what is causing the
problem, as the problem is with the noncompliance of their mail proxy
and they are likely to experience the same kind of problems with
other sites if they do not fix it.

It's interesting to go to Cisco's web site to see how the Mailguard
feature of PIX firewalls works.

Thanks,
--
Jacob Haller, Technical Support
L-Soft international, Inc
http://www.lsoft.com/