This issue is old and familiar to us, and crops up about once every six months or so. I thought it might help to document the situation more publicly.<\/p>\n
On Cisco firewalls (PIX or the newer ASA), various protocol inspection engines are available. Generally, they assist in tracking connections of IP traffic through the firewall. That is, for a protocol such as FTP various additional TCP connections are made alongside the original connection, and the firewall needs to know to allow these through. The inspection engines perform simple analysis of traffic to watch for and set up these so-called pinhole<\/em> ports, on demand.<\/p>\n Trouble is, some of the inspection engines have suffered feature creep and now try to work out, I guess, the semantics of the exchange taking place. If the engine thinks the conversation contains “illegal” requests, it’s blocked.<\/p>\n In particular the SMTP inspection engine (also known as a fixup<\/em> in the Cisco docs) is fairly notorious for messing about with email transfer and preventing successful delivery. At best you might experience mysteriously missing attachments, at worst the remote server simply sees a TCP connection reset and has no idea why delivery failed.<\/p>\n Here’s how to tell if your Cisco firewall is interfering with your mail server’s operation. Telnet to the mail server (we assume the firewall sits in front of it) on the standard port of 25, and look at the “banner” response. On a regular mail server the banner looks something like this:<\/p>\n However on an affected server, the banner is noticeably different:<\/p>\n Disabling the SMTP fixup (which is on by default, I believe) enables mail to flow as it should. I recommend you do this on any PIX or ASA devices in your network.<\/p>\n Note that the fixup seems to interfere with email going through the firewall in both directions, and problems occur regardless of the mail server software being used in the communication (after all, all servers are speaking the same SMTP protocol language).<\/p>\n","protected":false},"excerpt":{"rendered":" This issue is old and familiar to us, and crops up about once every six months or so. I thought it might help to document the situation more publicly. On Cisco firewalls (PIX or the newer ASA), various protocol inspection … Continue reading \r\nhost:~$ telnet oxmail.ox.ac.uk 25\r\nTrying 129.67.1.161...\r\nConnected to oxmail.ox.ac.uk.\r\nEscape character is '^]'.\r\n220 relay0.mail.ox.ac.uk ESMTP Exim 4.69 Thu, 26 Nov 2009 19:28:51 +0000\r\n<\/pre>\n
\r\nhost:~$ telnet suspectserver.example.com 25\r\nTrying 192.0.2.1...\r\nConnected to suspectserver.example.com.\r\nEscape character is '^]'.\r\n220 *****************************************************************************\r\n<\/pre>\n