Microsoft KB Archive/320027

= XCON: Cannot Send or Receive E-Mail Messages Behind a Cisco PIX Firewall =

PSS ID Number: 320027

Article Last Modified on 10/24/2003

-

The information in this article applies to:


 * Microsoft Exchange 2000 Server
 * Microsoft Exchange Server 5.5

-



This article was previously published under Q320027



SYMPTOMS
You may experience one or more of the following behaviors:
 * You cannot receive Internet-based e-mail messages.
 * You cannot send e-mail messages with attachments.
 * You cannot establish a telnet session with the Exchange 2000 server on port 25.
 * When you send an EHLO command to the Exchange 2000 server, you receive a &quot;Command unrecognized&quot; or an &quot;OK&quot; response.
 * You cannot send or receive mail on specific domains.
 * Problems with Post Office Protocol version 3 (POP3) authentication - 550 5.7.1 relaying denied from local server.
 * Problems with duplicate e-mail messages being sent (sometimes five to six times).
 * You receive duplicate incoming Simple Mail Transfer Protocol (SMTP) messages.



CAUSE
This issue may occur in the following situation:
 * The Exchange 2000 server is placed behind a Cisco PIX firewall device.

-and-
 * The PIX firewall has the Mailguard feature turned on.
 * The Auth and Auth login commands (Extended Simple Mail Transfer Protocol [ESMTP] commands) are stripped by the firewall, and this makes the system think that you are relaying from a non-local domain.

To determine whether Mailguard is running on your Cisco PIX firewall, Telnet to the IP address of the MX record, and then verify whether the response looks similar to the following:

220*******************************************************0*2******0***********************

2002*******2***0*00

Old versions of Pix:

220 SMTP/cmap_________________________________________ read

For more information, visit the following Cisco Web sites:

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX

http://www.cisco.com/warp/public/110/22.html

Note If you have an ESMTP server behind the PIX firewall, you may have to turn off the Mailguard feature to permit mail to flow correctly. Also, establishing a Telnet session to port 25 may not work with the fixup protocol smtp command, especially with a Telnet client that uses character mode.



RESOLUTION
To resolve this issue, turn off the Mailguard feature of the PIX firewall.

Warning If you have an ESMTP server behind the PIX, you may have to turn off the Mailguard feature to make it possible for mail to correctly flow. If you use the Telnet command to port 25, this may not work with the fixup protocol smtp command, and this is more noticeable with a Telnet client that performs character mode.

To turn off the Mailguard feature of the PIX firewall:
 * 1) Log on to the PIX firewall by establishing a telnet session or by using the console.
 * 2) Type enable, and then press ENTER.
 * 3) When you are prompted for your password, type your password, and then press ENTER.
 * 4) Type configure terminal, and then press ENTER.
 * 5) Type no fixup protocol smtp 25, and then press ENTER.
 * 6) Type write memory, and then press ENTER.
 * 7) Restart or reload the PIX firewall.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

295164 XCON: SMTP Clients Receive Relaying Prohibited Error Message When Authenticated Relay Is Enabled



MORE INFORMATION
The PIX Software Mailguard feature (also called Mailhost in early versions) filters Simple Mail Transfer Protocol (SMTP) traffic. For PIX Software versions 4.0 and 4.1, the mailhost command is used to configure Mailguard. In PIX Software version 4.2 and later, the fixup protocol smtp 25 command is used.

Note You must also have static IP address assignments and conduit statements for your mail server.

When Mailguard is configured, Mailguard allows only the seven SMTP minimum-required commands as described in request for comment (RFC) 821, section 4.5.1. These seven required commands are the following:

HELO

MAIL

RCPT

DATA

RSET

NOOP

QUIT

Other commands, such as KILL and WIZ are not forwarded to the mail server by the PIX firewall. Early versions of the PIX firewall return an &quot;OK&quot; response, even to commands that are blocked. This is intended to prevent an attacker from the knowledge that the commands have been blocked.

To view RFC 821, visit the following RFC Web site:

http://www.faqs.org/rfcs/rfc821.html

All other commands are rejected with the &quot;500 Command unrecognized&quot; response.

On Cisco PIX firewalls with firmware versions 5.1 and later, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks except for the &quot;2&quot;, &quot;0&quot;, &quot;0 &quot; characters. Carriage return (CR) and linefeed (LF) characters are ignored. In version 4.4, all characters in the SMTP banner are converted to asterisks.

Test Mailguard for Proper Function
Because the Mailguard feature may return an &quot;OK&quot; response to all commands, it may be hard to determine whether it is active. To determine whether the Mailguard feature is blocking commands that are not valid, follow these steps.

Note The following steps are based on PIX software version 4.0 and 4.1. To test later versions of PIX software (version 4.2 and later), use the fixup protocol smtp 25 command and the appropriate static and conduit statements for your mail server.

With Mailguard Turned Off
 On the PIX firewall, use the static and conduit commands to allow all hosts in on TCP port 25 (SMPT). Establish a telnet session on the external interface of the PIX firewall on port 25. Type a command that is not valid, and then press ENTER. For example, type goodmorning, and then press ENTER.

You receive the following response:

500 Command unrecognized.



With Mailguard Turned On
 Use the mailhost or the fixup protocol smtp 25 command to turn on the Mailguard feature on the external interface of the PIX firewall. Establish a telnet session on the external interface of the PIX firewall on port 25.</li> Type a command that is not valid, and then press ENTER. For example, type goodmorning, and then press ENTER.

You receive the following response:

OK.

</li></ol>

When the Mailguard feature is turned off, the mail server responds to the command that is not valid with the &quot;500 Command unrecognized&quot; message. However, when the Mailguard feature is turned on, the PIX firewall intercepts the command that is not valid, because the firewall passes only the seven minimum required SMTP commands. The PIX firewall responds with &quot;OK&quot; whether the command is valid or not.

By default, the PIX firewall blocks all outside connections from accessing inside hosts. Use the static, access-list, and access-group command statements to permit outside access. For additional information about these commands, visit the following Cisco Web site:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/commands.htm

For additional information about how to configure the Cisco PIX firewall, please visit the following Cisco Web sites:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/commands.htm#xtocid1604922

http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml

http://www.cisco.com/warp/public/110/22.html

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Keywords: kbprb KB320027

Technology: kbExchange2000Search kbExchange2000Serv kbExchange2000ServSearch kbExchange550 kbExchangeSearch kbZNotKeyword2

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.