Thanks. I knew all that. And I agree. That's why I posted. Because I
am getting sick of the topic coming up every two days (and it's been for
a few years, not months), I would really like to get together and
quantify the exact extent of the issue. (Course, I'd probably be able
to do that with Google or Cisco support, but there's so much "he said -
she said" around this issue I wouldn't trust that)
If your CEO tells you "I can't email my husband, go fix our email system
NOW" and the CEO's husband's Netadmin tells you to go pound sand because
he damn well WILL NOT shutoff mailguard, what the heck does some email
admin from some two-bit agency in the middle of Texas know anyway blah
blah blah... What are you gonna say? Your job is email, his is
security. He's gonna win on the Cisco debate, for many many of the
people on this list who have 37 other job functions and have never even
SEEN a cisco firewall.
So my point is to quantify TO WHAT EXTENT Cisco Mailguard is "broken",
if at all. Or if IOS versions below X.Yy.Zz are "broken" but problem
"A" was fixed in X.Yz.ZZ and problem "B" was fixed in Y.Zz.Aa. That
way, we can tell Mr. Paper CCMP at CEO's Husband's Employer, Inc. to go
patch his IOS to version Y.Zz.Aa so that my CEO can send email.
Yes. I know that if I board up all my windows, people are less likely
to throw rocks through them, and so I'm more secure. And that this is
the "security" mindset that Mailguard uses. But it's there, and people
use it, and people refuse to disable it, so let's figure out how to deal
with it.
-tom
-----Original Message-----
From: Richard Dann [mailto:[EMAIL PROTECTED]]
Posted At: Sunday, August 26, 2001 10:24 AM
Posted To: MSExchange Mailing List
Conversation: CISCO Pix FixUp Protocol
Subject: RE: CISCO Pix FixUp Protocol
Tom,
There have been a number of discussions on this list in the past few
months
on Cisco's "fixup protocol smtp". The general conclusion is that it is
more
trouble that its worth, particularly for a mail system with inbuilt
security
features such as Exchange. I suggest taking a look at exactly what it
does
and that may help convince your Cisco person that it as at least
unhelpful.
Basically, it restricts you to a subset of basic SMTP commands so all
the
advanced features of ESMTP that Exchange can use get blocked. The sort
of
thing that will get lost are message size declarations that could be
used to
block someone tying up your line with oversize messages. There is no
security advantage in blocking such functions.
I haven't checked the documentation other than for version 5.2 of the
PIX
software but in that version they advise putting an Exchange (IMS) in
the
DMS as a security measure. This is absolute rubbish - you would have to
open
far more ports than SMTP to get their configuration to work and you
would be
far better off using something like Mimesweeper as a relay and virus
scanner
or having solid virus scanning on Exchange itself.
regards,
Richard Dann
> -----Original Message-----
> From: Tom Meunier [SMTP:[EMAIL PROTECTED]]
> Sent: Sunday, August 26, 2001 1:27 AM
> To: Exchange Discussions
> Subject: RE: CISCO Pix FixUp Protocol
>
> This has been a continuing sticking point between our Cisco person and
> me. I insist that he turn it off, and he doesn't like it one bit. We
> haven't really tested it properly. We had some problems earlier this
> year, got a new IOS, and haven't had any problems since. Cisco
blames
> any problems on Microsoft. I can turn mailguard on & off and mail
> doesn't bounce.
>
> So here's the deal: Anyone out there who is having problems with
> somebody who refuses to disable their smtp fixup protocol, please let
me
> know off-list. For sake of information, I'd like to see if I can turn
> mine on temporarily and send mail get through it, from a foreign
system
> that we ALREADY KNOW is having issues. That way we can at least see
if
> there's a difference in results based upon IOS version, the Pix model,
> whatever. I've got an inkling that there may be, but I only have one
> Pix, and I'm not about to roll it back.
>
> So anyone who thinks they're having problems sending through the
> mailguard feature of the Pix, please send me an off-list email and
I'll
> set aside a few hours to do some testing within the next couple of
> weeks.
>
> (And Jean-Francois, if you'd like to act as a control group, I'd
> appreciate it - the state won't buy me a spare pix ;) )
>
> Tom Meunier
> Network Administrator
> State of Texas Office of Court Administration
> (512) 463-0282
> [EMAIL PROTECTED]
>
> -----Original Message-----
> From: Jean-Francois Bourdeau
> [mailto:[EMAIL PROTECTED]]
> Posted At: Saturday, August 25, 2001 8:42 AM
> Posted To: MSExchange Mailing List
> Conversation: CISCO Pix FixUp Protocol
> Subject: CISCO Pix FixUp Protocol
>
>
> Hi
>
> Does anyone had problem with the CISCO Pix FixUp Protocol feature ?
>
> When activating that my ex 2000 can't receive email
>
> We desactivated the FixUp Protocol
>
> JF
>
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
Nextra is the trading name of CIX (Compulink Information Exchange),
Norsk
Data and XTML, all of whom are part of the Nextra Group.
Nextra, a division of international telecoms organisation Telenor, is a
leading European Communications Service Provider. For information on
products and services click on www.nextra.co.uk.
With the exclusion of purchase orders/requests with reference to repair
quotations the views, information and opinion contained in this e-mail
are
that of the author. Where it is intended to place reliance upon any
statement made, then a formal confirmation should be requested.
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
