I resently move my sendmail box from a public network to a private
network behind a pix firewall. I notice now on my box I have a lot of
open connections that drops off slow.

root 15495 2551 0 02:50 ? 00:00:00 sendmail: server
[62.xxx.xx.xxx] cmd read
root 15526 2551 0 02:51 ? 00:00:00 sendmail: server
[80.xx.xxx.xx] cmd read
root 15589 2551 0 02:53 ? 00:00:00 sendmail: server
[82.xxx.xxx.xxx] cmd read
root 15735 2551 0 03:02 ? 00:00:00 sendmail: server
[220.xx.xxx.xxx] cmd read

What does this mean?

larsk wrote:
> I resently move my sendmail box from a public network to a private
> network behind a pix firewall. I notice now on my box I have a lot of
> open connections that drops off slow.
>
> root 15495 2551 0 02:50 ? 00:00:00 sendmail: server
> [62.xxx.xx.xxx] cmd read
> root 15526 2551 0 02:51 ? 00:00:00 sendmail: server
> [80.xx.xxx.xx] cmd read
> root 15589 2551 0 02:53 ? 00:00:00 sendmail: server
> [82.xxx.xxx.xxx] cmd read
> root 15735 2551 0 03:02 ? 00:00:00 sendmail: server
> [220.xx.xxx.xxx] cmd read
>
> What does this mean?

You don't have the Cisco SMTP fixup option turned on, have you? If so,
turn it off with this command on the PIX:

# no fixup protocol smtp 25


--
Marco Senft
http://www.t2g.ch/

yes, that option is on.... what does it relate to?

Marco Senft wrote:
> larsk wrote:
> > I resently move my sendmail box from a public network to a private
> > network behind a pix firewall. I notice now on my box I have a lot of
> > open connections that drops off slow.
> >
> > root 15495 2551 0 02:50 ? 00:00:00 sendmail: server
> > [62.xxx.xx.xxx] cmd read
> > root 15526 2551 0 02:51 ? 00:00:00 sendmail: server
> > [80.xx.xxx.xx] cmd read
> > root 15589 2551 0 02:53 ? 00:00:00 sendmail: server
> > [82.xxx.xxx.xxx] cmd read
> > root 15735 2551 0 03:02 ? 00:00:00 sendmail: server
> > [220.xx.xxx.xxx] cmd read
> >
> > What does this mean?
>
> You don't have the Cisco SMTP fixup option turned on, have you? If so,
> turn it off with this command on the PIX:
>
> # no fixup protocol smtp 25
>
>
> --
> Marco Senft
> http://www.t2g.ch/

larsk wrote:
> yes, that option is on.... what does it relate to?

This 'feature' is crippling nearly all SMTP conversations and thus
introduces problems of all kinds into email connectivity. It's worse
than useless. Search google for 'cisco smtp fixup' for further
information on this. Disabling it has absolutely no security drawbacks.

--
Marco Senft
http://www.t2g.ch/

larsk (larskman [at] gmail.com) wrote:
: I resently move my sendmail box from a public network to a private
: network behind a pix firewall. I notice now on my box I have a lot of
: open connections that drops off slow.

: root 15495 2551 0 02:50 ? 00:00:00 sendmail: server
: [62.xxx.xx.xxx] cmd read
: root 15526 2551 0 02:51 ? 00:00:00 sendmail: server
: [80.xx.xxx.xx] cmd read
: root 15589 2551 0 02:53 ? 00:00:00 sendmail: server
: [82.xxx.xxx.xxx] cmd read
: root 15735 2551 0 03:02 ? 00:00:00 sendmail: server
: [220.xx.xxx.xxx] cmd read

: What does this mean?

It means that your PIX software is out of date. The older
versions can't handle ESMTP and thus tend to mess up mail. Upgrade to
a current version.

John Nemeth wrote:
> larsk (larskman [at] gmail.com) wrote:
> : I resently move my sendmail box from a public network to a private
> : network behind a pix firewall. I notice now on my box I have a lot of
> : open connections that drops off slow.
>
> : root 15495 2551 0 02:50 ? 00:00:00 sendmail: server
> : [62.xxx.xx.xxx] cmd read
> : root 15526 2551 0 02:51 ? 00:00:00 sendmail: server
> : [80.xx.xxx.xx] cmd read
> : root 15589 2551 0 02:53 ? 00:00:00 sendmail: server
> : [82.xxx.xxx.xxx] cmd read
> : root 15735 2551 0 03:02 ? 00:00:00 sendmail: server
> : [220.xx.xxx.xxx] cmd read
>
> : What does this mean?
>
> It means that your PIX software is out of date. The older
> versions can't handle ESMTP and thus tend to mess up mail. Upgrade to
> a current version.


I had this problem years ago with a PIX. The PIX was droppin instead of
denying ident. Have never used a PIX since.

Tony wrote:

> John Nemeth wrote:
[...]
>>
>> It means that your PIX software is out of date. The older
>> versions can't handle ESMTP and thus tend to mess up mail. Upgrade to
>> a current version.

Current versions also tend to mess up mail if you let them.

> I had this problem years ago with a PIX. The PIX was droppin instead of
> denying ident. Have never used a PIX since.

For both cases, there's also the alternative of configuring the PIX properly.

SCNR

--
Tilman Schmidt t.schmidt [at] phoenixsoftware.de
Phoenix Software GmbH Tel. +49 228 97199 0
Adolf-Hombitzer-Str. 12 Fax +49 228 97199 99
53227 Bonn, Germany http://www.phoenixsoftware.de

Tony (tonysusenetemailaddress.removethisbit [at] tonyw.com) wrote:
: John Nemeth wrote:
: > larsk (larskman [at] gmail.com) wrote:
: > : I resently move my sendmail box from a public network to a private
: > : network behind a pix firewall. I notice now on my box I have a lot of
: > : open connections that drops off slow.
: >
: > : root 15495 2551 0 02:50 ? 00:00:00 sendmail: server
: > : [62.xxx.xx.xxx] cmd read
: > : root 15526 2551 0 02:51 ? 00:00:00 sendmail: server
: > : [80.xx.xxx.xx] cmd read
: > : root 15589 2551 0 02:53 ? 00:00:00 sendmail: server
: > : [82.xxx.xxx.xxx] cmd read
: > : root 15735 2551 0 03:02 ? 00:00:00 sendmail: server
: > : [220.xx.xxx.xxx] cmd read
: >
: > : What does this mean?
: >
: > It means that your PIX software is out of date. The older
: > versions can't handle ESMTP and thus tend to mess up mail. Upgrade to
: > a current version.

: I had this problem years ago with a PIX. The PIX was droppin instead of
: denying ident. Have never used a PIX since.

This is purely a configuration issue. It is hardly the PIX's
fault that you don't know how to configure it properly.

BTW, many security experts consider dropping unwanted traffic to
be the most appropriate thing to do. Personally, I consider ident to
be somewhat special because of how it is used and would create a
specific rule to "deny" it.