SMTP Fixup -- On or Off???
SMTP Fixup -- On or Off???
am 31.03.2005 13:58:18 von papem
We've been experiencing some issues with receiving mail from an on-line
survey company (ZARCA). Up to a third of the messages are bounced with
the "unknown user" response. The funny thing is, there are no log
entries on our mail exchangers indicating that the bounced emails ever
hit the servers, and there are no log entries for the DSNs that are
apparently being sent back to ZARCA. After a month with dealing with
ZARCA they have yet to produce the DSNs so that we can verify where
they are coming from. There solution is to open our mail exchangers to
relay mail from their domain/mail server.
Our SPAM solution provider (Canit) says to shut off the SMTP fixup
option on our Cisco PIX 525 firewall. From what I've read on-line, a
lot of sites are turning this option off, however our network
administrator is against doing this and feels that it is a substantial
security risk.
Is shutting off the SMTP fixup option a large security risk? Larger or
smaller than opening up a relay to the ZARCA mail server?
Thanks,
Mike
Re: SMTP Fixup -- On or Off???
am 31.03.2005 14:13:51 von Sam
This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-Mime-Autoconverted: from 8bit to quoted-printable by mimegpg
papem@union.edu writes:
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
Correct. This so-called â=9Coptionâ=9D is a known laughing stock.=
It basically
screws up all SMTP connections, without really getting of value in return.
It's just pure luck that some SMTP sessions manage to complete succesfully,
despite Cisco's best efforts otherwise.
> administrator is against doing this and feels that it is a substantial
> security risk.
Fire your network administrator, for incompetence, and hire someone who
knows what he's doing.
> Is shutting off the SMTP fixup option a large security risk? Larger or
No. Do you even know what this â=9CSMTP fixup optionâ=9D really d=
oes?
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBCS+l+x9p3GYHlUOIRAuKQAJ4pHkUVq3xkHypAxDB+KxAJ9P0ihgCd Gmwv
nq6HSoZuye7SoPmZ9/0ejMg=
=eeDs
-----END PGP SIGNATURE-----
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001--
Re: SMTP Fixup -- On or Off???
am 31.03.2005 14:13:51 von Sam
This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-Mime-Autoconverted: from 8bit to quoted-printable by mimegpg
papem@union.edu writes:
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
Correct. This so-called â=9Coptionâ=9D is a known laughing stock.=
It basically
screws up all SMTP connections, without really getting of value in return.
It's just pure luck that some SMTP sessions manage to complete succesfully,
despite Cisco's best efforts otherwise.
> administrator is against doing this and feels that it is a substantial
> security risk.
Fire your network administrator, for incompetence, and hire someone who
knows what he's doing.
> Is shutting off the SMTP fixup option a large security risk? Larger or
No. Do you even know what this â=9CSMTP fixup optionâ=9D really d=
oes?
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBCS+l+x9p3GYHlUOIRAuKQAJ4pHkUVq3xkHypAxDB+KxAJ9P0ihgCd Gmwv
nq6HSoZuye7SoPmZ9/0ejMg=
=eeDs
-----END PGP SIGNATURE-----
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001--
Re: SMTP Fixup -- On or Off???
am 31.03.2005 14:13:51 von Sam
This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-Mime-Autoconverted: from 8bit to quoted-printable by mimegpg
papem@union.edu writes:
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
Correct. This so-called â=9Coptionâ=9D is a known laughing stock.=
It basically
screws up all SMTP connections, without really getting of value in return.
It's just pure luck that some SMTP sessions manage to complete succesfully,
despite Cisco's best efforts otherwise.
> administrator is against doing this and feels that it is a substantial
> security risk.
Fire your network administrator, for incompetence, and hire someone who
knows what he's doing.
> Is shutting off the SMTP fixup option a large security risk? Larger or
No. Do you even know what this â=9CSMTP fixup optionâ=9D really d=
oes?
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBCS+l+x9p3GYHlUOIRAuKQAJ4pHkUVq3xkHypAxDB+KxAJ9P0ihgCd Gmwv
nq6HSoZuye7SoPmZ9/0ejMg=
=eeDs
-----END PGP SIGNATURE-----
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001--
Re: SMTP Fixup -- On or Off???
am 31.03.2005 14:13:51 von Sam
This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-Mime-Autoconverted: from 8bit to quoted-printable by mimegpg
papem@union.edu writes:
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
Correct. This so-called â=9Coptionâ=9D is a known laughing stock.=
It basically
screws up all SMTP connections, without really getting of value in return.
It's just pure luck that some SMTP sessions manage to complete succesfully,
despite Cisco's best efforts otherwise.
> administrator is against doing this and feels that it is a substantial
> security risk.
Fire your network administrator, for incompetence, and hire someone who
knows what he's doing.
> Is shutting off the SMTP fixup option a large security risk? Larger or
No. Do you even know what this â=9CSMTP fixup optionâ=9D really d=
oes?
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBCS+l+x9p3GYHlUOIRAuKQAJ4pHkUVq3xkHypAxDB+KxAJ9P0ihgCd Gmwv
nq6HSoZuye7SoPmZ9/0ejMg=
=eeDs
-----END PGP SIGNATURE-----
--=_mimegpg-commodore.email-scan.com-26024-1112271230-0001--
Re: SMTP Fixup -- On or Off???
am 31.03.2005 14:25:01 von Marco Senft
papem@union.edu wrote:
> Is shutting off the SMTP fixup option a large security risk? Larger or
> smaller than opening up a relay to the ZARCA mail server?
The only thing I know about the 'fixup protocol smtp' feature of Cisco
PIX is that it cripples SMTP connectivity without offering any real
security advantages. Turning it off will be no security risk at all.
Blocking all connections to port 25 (except to your mail servers of
course) is far more useful.
--
Marco Senft Tel +41 81 413 11 92
http://www.t2g.ch/ Mobile +41 79 696 16 25
Re: SMTP Fixup -- On or Off???
am 31.03.2005 14:25:01 von Marco Senft
papem@union.edu wrote:
> Is shutting off the SMTP fixup option a large security risk? Larger or
> smaller than opening up a relay to the ZARCA mail server?
The only thing I know about the 'fixup protocol smtp' feature of Cisco
PIX is that it cripples SMTP connectivity without offering any real
security advantages. Turning it off will be no security risk at all.
Blocking all connections to port 25 (except to your mail servers of
course) is far more useful.
--
Marco Senft Tel +41 81 413 11 92
http://www.t2g.ch/ Mobile +41 79 696 16 25
Re: SMTP Fixup -- On or Off???
am 31.03.2005 14:25:01 von Marco Senft
papem@union.edu wrote:
> Is shutting off the SMTP fixup option a large security risk? Larger or
> smaller than opening up a relay to the ZARCA mail server?
The only thing I know about the 'fixup protocol smtp' feature of Cisco
PIX is that it cripples SMTP connectivity without offering any real
security advantages. Turning it off will be no security risk at all.
Blocking all connections to port 25 (except to your mail servers of
course) is far more useful.
--
Marco Senft Tel +41 81 413 11 92
http://www.t2g.ch/ Mobile +41 79 696 16 25
Re: SMTP Fixup -- On or Off???
am 31.03.2005 14:25:01 von Marco Senft
papem@union.edu wrote:
> Is shutting off the SMTP fixup option a large security risk? Larger or
> smaller than opening up a relay to the ZARCA mail server?
The only thing I know about the 'fixup protocol smtp' feature of Cisco
PIX is that it cripples SMTP connectivity without offering any real
security advantages. Turning it off will be no security risk at all.
Blocking all connections to port 25 (except to your mail servers of
course) is far more useful.
--
Marco Senft Tel +41 81 413 11 92
http://www.t2g.ch/ Mobile +41 79 696 16 25
Re: SMTP Fixup -- On or Off???
am 31.03.2005 15:17:48 von Wolfgang Kueter
papem@union.edu wrote:
> [Problems recieving mail through a PIX with fixup protocol SMTP on]
The cisco PIX fixup protocol smtp command has been
a) a constant source a of problems
b) of no security value
for years. It is commonly known as 'f*ck*p protocol smtp' and disabling it
is the usual solution.
Wolfgang
Re: SMTP Fixup -- On or Off???
am 31.03.2005 15:17:48 von Wolfgang Kueter
papem@union.edu wrote:
> [Problems recieving mail through a PIX with fixup protocol SMTP on]
The cisco PIX fixup protocol smtp command has been
a) a constant source a of problems
b) of no security value
for years. It is commonly known as 'f*ck*p protocol smtp' and disabling it
is the usual solution.
Wolfgang
Re: SMTP Fixup -- On or Off???
am 31.03.2005 15:17:48 von Wolfgang Kueter
papem@union.edu wrote:
> [Problems recieving mail through a PIX with fixup protocol SMTP on]
The cisco PIX fixup protocol smtp command has been
a) a constant source a of problems
b) of no security value
for years. It is commonly known as 'f*ck*p protocol smtp' and disabling it
is the usual solution.
Wolfgang
Re: SMTP Fixup -- On or Off???
am 31.03.2005 15:17:48 von Wolfgang Kueter
papem@union.edu wrote:
> [Problems recieving mail through a PIX with fixup protocol SMTP on]
The cisco PIX fixup protocol smtp command has been
a) a constant source a of problems
b) of no security value
for years. It is commonly known as 'f*ck*p protocol smtp' and disabling it
is the usual solution.
Wolfgang
Re: SMTP Fixup -- On or Off???
am 31.03.2005 15:48:55 von DFS
papem@union.edu wrote:
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall.
Hi, Mike.
(I'm the CanIt guy... :-)
I think the other responses to your question pretty much back up
our position. Cisco's "SMTP fixup" option is disruptive, invasive,
badly thought-out, badly implemented, irritating, and useless from
a security perspective.
Regards,
David.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 15:48:55 von DFS
papem@union.edu wrote:
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall.
Hi, Mike.
(I'm the CanIt guy... :-)
I think the other responses to your question pretty much back up
our position. Cisco's "SMTP fixup" option is disruptive, invasive,
badly thought-out, badly implemented, irritating, and useless from
a security perspective.
Regards,
David.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 15:48:55 von DFS
papem@union.edu wrote:
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall.
Hi, Mike.
(I'm the CanIt guy... :-)
I think the other responses to your question pretty much back up
our position. Cisco's "SMTP fixup" option is disruptive, invasive,
badly thought-out, badly implemented, irritating, and useless from
a security perspective.
Regards,
David.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 15:48:55 von DFS
papem@union.edu wrote:
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall.
Hi, Mike.
(I'm the CanIt guy... :-)
I think the other responses to your question pretty much back up
our position. Cisco's "SMTP fixup" option is disruptive, invasive,
badly thought-out, badly implemented, irritating, and useless from
a security perspective.
Regards,
David.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 16:37:05 von Wolfgang Kueter
David F. Skoll wrote:
> I think the other responses to your question pretty much back up
> our position. Cisco's "SMTP fixup" option is disruptive, invasive,
> badly thought-out, badly implemented, irritating, and useless from
> a security perspective.
no fixup protocol smtp 25
is unsually amongst the first commands after unpacking a PIX and connecting
the console cable to the device. The line is usually included in any PIX
configuration template ...
Wolfgang
Re: SMTP Fixup -- On or Off???
am 31.03.2005 18:51:33 von roberson
In article ,
David F. Skoll wrote:
:I think the other responses to your question pretty much back up
:our position. Cisco's "SMTP fixup" option is disruptive, invasive,
:badly thought-out, badly implemented, irritating, and useless from
:a security perspective.
A small anecdote on the way to a point:
We got joe-jobbed a few weeks ago on a major spam run (the replica
watches one). 67000 bounce messages to us over 36 hours, mostly for
accounts that no longer existed, so you can figure that the run was
probably pretty close to a million pieces when it went out. My
hand-crafted sendmail anti-spam measures (which spawn about 8 different
perl processes per message) couldn't keep up, so I had to replace
sendmail with qmail and have all nearly all incoming messages dumped
into a pool for later sorting. Had to develop sorting tools too, sigh.
The PIX smtp 'fixup' would not have helped nor hindered this spam
bounce run, as each of the bounce messages was RFC822 compliant.
Anyhow, after spending a few days developing sorting tools to extract
the useful messages from the slush (and it did so happen that we
received an unusually high number of useful messages that day), I
happened to notice that one of the messages we received was entitled "I
love you". [We've seen at least three more of those since then.]
That is to say, there are still systems out there that are infected
with the "I love you" virus... a virus that was current in May 2000.
Now, as far as I know, Cisco's STMP fixup doesn't protect you against
the "I love you" virus, but what it does protect you against is
attacks of roughly the same genre -- it protects you against
attacks that no-one has bothered to undertake seriously for years
because the underlying bugs to be exploited were patched years and
years ago.
But, hey, if your mail server hasn't had a software upgrade since 1989,
then the "smtp fixup" could be useful in protecting you from viruses
kept alive in fourth-world backwoods where operating systems haven't
been upgraded or secured since Windows 95.
Why are such systems on the 'net? Well it wasn't long ago at all (mere
weeks) that we had someone in one of the security newsgroups who
claimed to be an expert in MS security, who used a MS version pretty much
that old, on the basis that he knew what he was getting into, and that
software that old was less likely to be targetted for new exploits than
the now much more common Windows XP.
And truth to tell, I find it difficult to recommend to my relatives
that they upgrade from Windows ME to XP -- they'd need to buy a
faster computer (which they don't have the money for), and they don't
have any use for the newer facilities introduced in W2K or XP... it'd
be strictly an expensive upgrade to patch security holes.
--
History is a pile of debris -- Laurie Anderson
Re: SMTP Fixup -- On or Off???
am 31.03.2005 19:08:49 von John Mason Jr
papem@union.edu wrote:
> We've been experiencing some issues with receiving mail from an on-line
> survey company (ZARCA). Up to a third of the messages are bounced with
> the "unknown user" response. The funny thing is, there are no log
> entries on our mail exchangers indicating that the bounced emails ever
> hit the servers, and there are no log entries for the DSNs that are
> apparently being sent back to ZARCA. After a month with dealing with
> ZARCA they have yet to produce the DSNs so that we can verify where
> they are coming from. There solution is to open our mail exchangers to
> relay mail from their domain/mail server.
>
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
> administrator is against doing this and feels that it is a substantial
> security risk.
>
> Is shutting off the SMTP fixup option a large security risk? Larger or
> smaller than opening up a relay to the ZARCA mail server?
>
> Thanks,
> Mike
>
Read the response of Walter Roberson in this thread
The folks at CanIt are correct
John
Re: SMTP Fixup -- On or Off???
am 31.03.2005 19:08:49 von John Mason Jr
papem@union.edu wrote:
> We've been experiencing some issues with receiving mail from an on-line
> survey company (ZARCA). Up to a third of the messages are bounced with
> the "unknown user" response. The funny thing is, there are no log
> entries on our mail exchangers indicating that the bounced emails ever
> hit the servers, and there are no log entries for the DSNs that are
> apparently being sent back to ZARCA. After a month with dealing with
> ZARCA they have yet to produce the DSNs so that we can verify where
> they are coming from. There solution is to open our mail exchangers to
> relay mail from their domain/mail server.
>
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
> administrator is against doing this and feels that it is a substantial
> security risk.
>
> Is shutting off the SMTP fixup option a large security risk? Larger or
> smaller than opening up a relay to the ZARCA mail server?
>
> Thanks,
> Mike
>
Read the response of Walter Roberson in this thread
The folks at CanIt are correct
John
Re: SMTP Fixup -- On or Off???
am 31.03.2005 19:08:49 von John Mason Jr
papem@union.edu wrote:
> We've been experiencing some issues with receiving mail from an on-line
> survey company (ZARCA). Up to a third of the messages are bounced with
> the "unknown user" response. The funny thing is, there are no log
> entries on our mail exchangers indicating that the bounced emails ever
> hit the servers, and there are no log entries for the DSNs that are
> apparently being sent back to ZARCA. After a month with dealing with
> ZARCA they have yet to produce the DSNs so that we can verify where
> they are coming from. There solution is to open our mail exchangers to
> relay mail from their domain/mail server.
>
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
> administrator is against doing this and feels that it is a substantial
> security risk.
>
> Is shutting off the SMTP fixup option a large security risk? Larger or
> smaller than opening up a relay to the ZARCA mail server?
>
> Thanks,
> Mike
>
Read the response of Walter Roberson in this thread
The folks at CanIt are correct
John
Re: SMTP Fixup -- On or Off???
am 31.03.2005 19:08:49 von John Mason Jr
papem@union.edu wrote:
> We've been experiencing some issues with receiving mail from an on-line
> survey company (ZARCA). Up to a third of the messages are bounced with
> the "unknown user" response. The funny thing is, there are no log
> entries on our mail exchangers indicating that the bounced emails ever
> hit the servers, and there are no log entries for the DSNs that are
> apparently being sent back to ZARCA. After a month with dealing with
> ZARCA they have yet to produce the DSNs so that we can verify where
> they are coming from. There solution is to open our mail exchangers to
> relay mail from their domain/mail server.
>
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
> administrator is against doing this and feels that it is a substantial
> security risk.
>
> Is shutting off the SMTP fixup option a large security risk? Larger or
> smaller than opening up a relay to the ZARCA mail server?
>
> Thanks,
> Mike
>
Read the response of Walter Roberson in this thread
The folks at CanIt are correct
John
Re: SMTP Fixup -- On or Off???
am 31.03.2005 21:39:45 von ynotssor
wrote in message
news:1112270298.710520.114040@z14g2000cwz.googlegroups.com
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
> administrator is against doing this and feels that it is a substantial
> security risk.
Turn off the fixup and get a competent network administrator.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 21:39:45 von ynotssor
wrote in message
news:1112270298.710520.114040@z14g2000cwz.googlegroups.com
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
> administrator is against doing this and feels that it is a substantial
> security risk.
Turn off the fixup and get a competent network administrator.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 21:39:45 von ynotssor
wrote in message
news:1112270298.710520.114040@z14g2000cwz.googlegroups.com
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
> administrator is against doing this and feels that it is a substantial
> security risk.
Turn off the fixup and get a competent network administrator.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 21:39:45 von ynotssor
wrote in message
news:1112270298.710520.114040@z14g2000cwz.googlegroups.com
> Our SPAM solution provider (Canit) says to shut off the SMTP fixup
> option on our Cisco PIX 525 firewall. From what I've read on-line, a
> lot of sites are turning this option off, however our network
> administrator is against doing this and feels that it is a substantial
> security risk.
Turn off the fixup and get a competent network administrator.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 22:03:35 von Munpe Q
ynotssor, I agree with you completely. And while you're at it, get a
competent firewall.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 22:03:35 von Munpe Q
ynotssor, I agree with you completely. And while you're at it, get a
competent firewall.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 22:03:35 von Munpe Q
ynotssor, I agree with you completely. And while you're at it, get a
competent firewall.
Re: SMTP Fixup -- On or Off???
am 31.03.2005 22:03:35 von Munpe Q
ynotssor, I agree with you completely. And while you're at it, get a
competent firewall.