At 1:07 PM -0600 3/2/02, Michael A. Pasek imposed structure on a stream of electrons, yielding: >Sorry for the late post; I'm a little behind in my email...... > >In SIMS Digest #1636, Christian F Buser wrote: >>>>[much stuff deleted] >>>> 17:50:09 4 SMTP-040([212.71.103.177]) Input Line: XXXX [172.16.7.3]\r >>>>[more stuff deleted] > >To which Dmitry Akindinov responded: >>More likely, it's a SMTP-filtering firewall, like Cisco PIX. > >I didn't know that the PIX did anything more than Packet filtering....does >it really have the capability to do inspection/replacement of the "data" >portion of a TCP packet ?
YES. See http://www.google.com/search?hl=en&q=pix+XXXX+smtp for some details on this particular issue. >I know application-gateway firewalls like Sidewinder, Gauntlet, and >Raptor could _possibly_ be configured to do this, and you could certainly >do it with a dual-MTA configuration (where one just queues, a time-triggered >scanning/replacement routine takes the mail from the first MTA's queue, and >then moves it to the second MTA's queue for delivery), but I haven't seen >an actual implementation of this. The PIX is far more than a filtering router. It has 'fixup' protocol proxies including one for SMTP. It intercepts the SMTP session and then relays commands to the SMTP server on the other end. the reason it does the XXXX thing is that it is designed to allow only the commands originally specified in RFC821, not ANY extensions. To keep the state of the real outside SMTP server and the client consistent, it has to assure that the server is in a 'bad command' state if sends a 500 error back to the client for an extension command like EHLO. I can't explain any rational justification for doing this sort of thing with SMTP, where the extensions are really not the security problems, the core functionality is. -- Bill Cole [EMAIL PROTECTED] ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
