Microsoft KB Archive/295725

= Cannot send or receive e-mail messages behind a Cisco PIX firewall =

Article ID: 295725

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 5.5 Standard Edition
 * Microsoft Exchange 2000 Server Standard Edition
 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition

-



This article was previously published under Q295725



Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

This article is a consolidation of the following previously available article: 320027



SYMPTOMS
When you try to send or receive messages behind a Cisco PIX firewall, you experience one or more of the following issues:  A user receives an exact copy of the same inbound message over and over. Each new duplicate message is received at a consistent interval. This continues for several hours and then stops suddenly. If there is a Cisco PIX firewall device between the routing groups, you experience the following issues:  The X-LINK2STATE verb is not passed. Additionally, you have link state routing issues between routing groups. There are authentication problems between servers because of a routing group connector.  You cannot receive Internet-based e-mail messages. When you use Microsoft Outlook or Microsoft Outlook Express to send e-mail messages, you receive the 0x800CCC79 error message.</li> The Post Office Protocol version 3 (POP3) protocol cannot be authenticated. Additionally, you receive the following error message:

550 5.7.1 relaying denied from local server

</li> You cannot send messages that have attachments. Or, the attachments are missing or garbled.</li> When you send messages that contain binary MIME (8bitmime) parts, you receive the following error message in a non-delivery report (NDR) message:

554 5.6.1 Body type not supported by Remote Host.

</li></ul>

<div class="cause_section">

CAUSE
These issues may occur if the Microsoft Exchange server is positioned behind a Cisco PIX firewall device. The Cisco PIX firewall device uses an SMTP protocol filtering feature that is named Mailguard. When the Mailguard feature is turned on, it blocks all Extended Simple Mail Transfer Protocol (ESMTP) commands. Mailguard allows only seven basic Simple Mail Transfer Protocol (SMTP) commands to pass. Therefore, the PIX firewall does not forward the ESMTP commands to the mail server. The ESMTP commands include commands such as X-LINK2STATE, Auth, Auth login, KILL, and WIZ.

Additionally, there is a known issue with Mailguard that causes duplicate incoming messages. Cisco has corrected this issue in later software releases. For more information about this known issue, see the “Duplicate incoming SMTP messages&quot; section later in this article.

To check for the presence of Mailguard, follow these steps: <ol> From a workstation on the Internet, open a Telnet session to the IP address of the MX record on port 25. You should see text that resembles the following:

220 *********0***************************************************************** ************2*************

</li> Issue the EHLO command. You may receive one of the following messages:  

OK

</li> 

500 Unrecognized command

</li></ul> </li></ol>

Note If you have an ESMTP server behind the PIX firewall, you may have to turn off the Mailguard feature to allow mail to flow correctly. Also, you may be unable to establish a Telnet session to port 25 with the fixup protocol smtp command. This is especially true with a Telnet client that uses character mode.

Note On Cisco PIX firewalls with firmware version 5.1 and with later versions, the fixup protocol smtp command changes most characters in the SMTP banner to asterisks. The exceptions to this are the &quot;2&quot; character, the &quot;0&quot; character, and the &quot;0 &quot; character. The carriage return (CR) character and the linefeed (LF) character are ignored. In version 4.4, all characters in the SMTP banner are converted to asterisks.

<div class="workaround_section">

WORKAROUND
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.To work around these issues, turn off the Mailguard feature of the PIX firewall. To do this, follow these steps:
 * 1) Establish a Telnet session to log on to the Cisco PIX firewall. Alternatively, use the console to log on to the Cisco PIX firewall.
 * 2) Type enable, and then press ENTER.
 * 3) When you are prompted for your password, type your password, and then press ENTER.
 * 4) Type configure terminal, and then press ENTER.
 * 5) Type no fixup protocol smtp 25, and then press ENTER.
 * 6) Type write memory, and then press ENTER.
 * 7) Restart or reload the Cisco PIX firewall.

Note For more information about how to turn off the Mailguard feature of the Cisco PIX firewall, visit the following Cisco Web site:

http://www.cisco.com/support/index.shtml

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

<div class="moreinformation_section">

MORE INFORMATION
The PIX Software Mailguard feature filters SMTP traffic. This feature was also referred to as Mailhost in earlier versions. In PIX Software versions 4.0 and 4.1, you use the mailhost command to configure Mailguard. In PIX Software version 4.2 and in later versions, you use the fixup protocol smtp 25 command. Mailguard allows connections to an e-mail host only through Transport Control Protocol (TCP) port 25. It logs all SMTP activity. Additionally, it allows only the minimum SMTP server commands found in Request for Comments (RFC) 821, Section 4.5.1.These SMTP server commands are the following seven commands:
 * HELO
 * MAIL
 * RCPT
 * DATA
 * RSET
 * NOOP
 * QUIT

Note In addition to the Cisco PIX firewall, there are several firewall products that have SMTP Proxy capabilities that may produce the issues that are described earlier in this article. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

895857 SMTP mail cannot be sent or cannot be received in Exchange Server

Duplicate incoming SMTP messages
In a typical SMTP session, a sending host marks the end of the DATA part of the message with CRLF.CRLF on a line by itself. The receiving host acknowledges receipt of the message data by issuing a 250 OK response back to the sending host. The sending host replies with the QUIT command. The normal response from the receiving host would be 221 closing connection. Once the sending host receives this last response, the session is complete.

If for any reason the CRLF.CRLF terminating string is broken into separate packets during transmission, Mailguard rejects it and does not pass it to the mail server. The connection eventually times out and the message queues for delivery on the receiving host. Because the sending host never receives confirmation of receipt, it assumes delivery failure. It re-queues the message for attempted delivery at a later time. This goes on repeatedly until the message time-out on the sending host is exhausted.

Further testing with SMTP Protocol Logging can be used to pinpoint the failure in a message session. From a sample captured SMTP log below, observe the missing response of the receiving host to the CRLF.CRLF command.

2/7/01 5:01:20 PM : A connection was accepted from mail.domain1.com

2/7/01 5:01:21 PM : <<< HELO mail.domain1.com

2/7/01 5:01:21 PM : >>> 250 OK

2/7/01 5:01:21 PM : <<< MAIL From:<user@domain1.com>

2/7/01 5:01:21 PM : >>> 250 OK - mail from <user@domain1.com>

2/7/01 5:01:22 PM : <<< RCPT To:<user@domain2.com>

2/7/01 5:01:22 PM : >>> 250 OK - Recipient <user@domain2.com>

2/7/01 5:01:23 PM : <<< DATA

2/7/01 5:01:23 PM : >>> 354 Send data. End with CRLF.CRLF

2/7/01 5:05:44 PM : A connection was accepted from mail.domain3.com

Cisco has determined this to be an issue in certain versions of PIX operating software. This issue is linked to bug: CSCds90792. Registered users of Cisco Connection Online (CCO) have access to release notes for this bug in Cisco's Software Bug Toolkit. For more information, visit the folowing Cisco Web site:

http://www.cisco.com/kobayashi/bugs/bugs.html

How to test the Mailguard feature
When the Mailguard feature is turned off, the mail server responds to an invalid command with the &quot;500 Command unrecognized&quot; error message. However, when the Mailguard feature is turned on, the Cisco PIX firewall responds with the &quot;OK&quot; message, regardless of whether the command is valid or is not valid. To determine whether the Mailguard feature is blocking commands that are not valid, follow these steps.

Note The following steps are based on PIX software version 4.0 and 4.1. To test PIX software version 4.2 and later versions, use the fixup protocol smtp 25 command and the appropriate Static statement and the appropriate Conduit statement for your mail server.

When Mailguard is turned off
<ol> On the Cisco PIX firewall, use the Static command and the Conduit command to allow all hosts in on TCP port 25 (SMTP).</li> Establish a Telnet session on the external interface of the Cisco PIX firewall on port 25.</li> Type a command that is not valid, and then press ENTER. For example, type goodmorning, and then press ENTER. You receive the following error message:

500 Command unrecognized.

</li></ol>

When Mailguard is turned on
<ol> Use the mailhostcommand or the fixup protocol smtp 25 command to turn on the Mailguard feature on the external interface of the Cisco PIX firewall.</li> Establish a Telnet session on the external interface of the Cisco PIX firewall on port 25.</li> Type a command that is not valid, and then press ENTER. For example, type goodmorning, and then press ENTER. You receive the following message:

OK.

</li></ol>

<div class="references_section">