8.24. Making Exchange Work Behind a Cisco PIX Firewall
Problem
You have a Cisco PIX firewall solution, and you want to make sure that you can send and receive SMTP mail from your Exchange server through it and want to ensure that it is configured to work properly with your Exchange deployment.
Solution
On the Cisco PIX, disable the MailGuard ("SMTP fixup") feature on the PIX firewall, which is on by default. Run the following command from the PIX command line:
no fixup protocol smtp 25
Discussion
While the Cisco PIX firewall is generally a capable firewall, the MailGuard SMTP proxy feature has long been a source of problems, not just for Exchange, but for SMTP servers in general. The MailGuard functionality works by acting as a semi-transparent proxy for incoming SMTP sessions. MailGuard replaces the outgoing connection banner with a characteristic string of asterisks. Note that even if you believe in the value of banner obfuscation, the PIX-provided banner is distinctive and will immediately alert any potential attacker to the nature of the protection you are using.
It also restricts the incoming SMTP verbs to HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. It will not allow any other verbs, even valid ESMTP verbs. This will break much of the higher-level SMTP functionality taken for granted in today's Internet:
SMTP authentication for clients.
The 8-bit MIME SMTP extension, to allow binary attachments to be transmitted without first requiring conversion to 7-bit ASCII and taking more ...