(I live!) > -----Original Message----- > From: [EMAIL PROTECTED] [...] > On Tue, 8 Jan 2002, Network Operations wrote: > > > At first glance I was about to dump this as being an OT > mail (Exchange > > server) issue however, I seem to recall a similar problem some time > > ago. > > Im still not convinced it is not your original > interpretation, though it has been a long long time since I > played with exchange and I could well be wrong.[...]
I'm betting heavily on the "server misconfiguration" explanation. Note that the poster says the problem occurs when they turn on authentication. Since there is no authentication mechanism for basic SMTP (check RFC 821 or, more recently 2821) any authentication MUST occur as an extension - i.e. through ESMTP. (For the curious, there's a link from the postfix team that I found useful, which also references some SMTP Auth RFCs. [1]) The PIX, for example, doesn't support ESMTP at all. Not even a little bit. I wouldn't surprise me if CBAC doesn't either. That doesn't really make it a firewall issue, though, since any mail server that _requires_ ESMTP for inbound mail from the general Internet is broken, IMHO. > > I think the reason why your internal email is getting bounced is > > because when IDENT/auth lookups (port 113 udp/tcp > authentication) are > > enabled, your firewall is probably denying the IDENT > lookups to your > > internal hosts. [...] (nitpick) Those ident requests only go from server to server, and it's tcp 113, not udp. The problem you're referring to is common, and extremely hard to pin down the first time it's encountered. It normally occurs on outbound mail, though, unless one is running a mailserver which uses the ident mechanism (and has it enabled) - Exchange is not one of those. > This might work different for exchange systems, but, if I > recall, for sendmail and other unix like SMTP implimentations > it only results in extremely slow traffic as the SMTP gateway > hangs for periods. Does a sendmail or other implimentation > actually start rejecting traffic in such a auth-ess environment? What can happen is that the ident request takes a while to time out, and the sending server decides that the connection has gone and gives up. This can also manifest as a nasty race condition where things _sometimes_ work - slowly, and then die completely during slow periods. I have never seen anywhere that requires a successful ident lookup before it will accept mail, although I'm sure it's an option. > Ron DuFresne > > >>> "Prathabacimman.M" <[EMAIL PROTECTED]> 01/07 > 9:56 PM >>> > > Thanks to Henry Sieff > > > > Adding more to the above problem yesterday we solved the problem but > > temporarily. As we remove "ip inspect name 'name' smtp" > things have started > > moving smoothly. But our situation forces us to implement > smtp monitoring. > > How to go about it.. CBAC doesn't do any SMTP monitoring - it just makes sure all the commands are correct and tries to stop some obvious attacks. It sounds like you actually need a tool to do antivirus / "content inspection" of mail traffic, which is a different problem. My advice: Leave the external authentication turned OFF. You can solve the relay problem without turning it on - read the documentation for Exchange on microsoft.com, or try KB article Q193922[2] Leave CBAC on. It's vaguely useful, provided one doesn't expect too much of it. Get a box that sits in front of your Exchange server (logically) and relays all mail. Make this box do AV and content filtering (there are free and payware tools to do this). (Personally, I think content filtering is crazy and impossible to do properly. This hasn't stopped me from agreeing to implement it in several sites, due to annoying legal / statutory climates.) > > Prathabacimman.M (call me prathab) > > [...] Good luck. [1] http://www.thecabal.org/~devin/postfix/smtp-auth.txt [2] http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q193922 -- Ben Nagy Unemployed Network Security Specialist (Needs a job in Geneva ;) Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
