Connection Refused on Port 25
in [Postfix]
|
Prev: postfix architectural diagram
Next: Postfix.org SPF
From: Asai on 2 Jul 2010 19:20 Gary Chambers wrote: > Asai, > > >> Eero, can you please elaborate on this? I don't follow you. >> "Nice servers with cisco pix smtp fixout enabled." >> > > Eero is asserting that the mail server to which you are trying to > connect is behind a Cisco PIX/ASA firewall. Those devices have a > known bug that causes trouble with some mail servers due it mangling > the SMTP banner. Take a look at: > > http://blogs.oucs.ox.ac.uk/networks/2009/11/26/cisco-firewall-smtp-fixup-considered-harmful/ > > -- Gary Chambers > > /* Nothing fancy and nothing Microsoft! */ > OK. Has anyone successfully been able to work around this issue? -- asai
From: Charles Marcus on 3 Jul 2010 15:14 On 2010-07-02 7:20 PM, Asai wrote: > OK. Has anyone successfully been able to work around this issue? The only way is to have the admin for the CISCO PIX disable the stupid smtp fixup garbage on the CISCO box. As far as I know, there is NEVER any reason to have this enabled on an internet facing box that receives mail from 'wherever'... -- Best regards, Charles
From: Jeroen Geilman on 3 Jul 2010 17:18 On 07/03/2010 09:14 PM, Charles Marcus wrote: > On 2010-07-02 7:20 PM, Asai wrote: > >> OK. Has anyone successfully been able to work around this issue? >> > The only way is to have the admin for the CISCO PIX disable the stupid > smtp fixup garbage on the CISCO box. > > As far as I know, there is NEVER any reason to have this enabled on an > internet facing box that receives mail from 'wherever'... > > "fixup protocol smtp" on a Cisco PIX firewall does several things: 1. it inspects every single SMTP packet it sees 2. it disallows all but the SMTP commands explicitly stated in RFC [8|28|53]21 and 3. it replaces the SMTP greeting banner with a generic one It is obviously the latter you have an issue with :) While I agree that it should never be enabled *by default*, it's hardly stupid, predating modern anti-spam measures such as policydaemons and DNSBLs by at least 10 years. J.
From: Asai on 3 Jul 2010 17:20 Jeroen Geilman wrote: > On 07/03/2010 09:14 PM, Charles Marcus wrote: >> On 2010-07-02 7:20 PM, Asai wrote: >> >>> OK. Has anyone successfully been able to work around this issue? >>> >> The only way is to have the admin for the CISCO PIX disable the stupid >> smtp fixup garbage on the CISCO box. >> >> As far as I know, there is NEVER any reason to have this enabled on an >> internet facing box that receives mail from 'wherever'... >> >> > > "fixup protocol smtp" on a Cisco PIX firewall does several things: > > 1. it inspects every single SMTP packet it sees > 2. it disallows all but the SMTP commands explicitly stated in RFC > [8|28|53]21 > and > 3. it replaces the SMTP greeting banner with a generic one > > It is obviously the latter you have an issue with :) > > While I agree that it should never be enabled *by default*, it's > hardly stupid, predating modern anti-spam measures such as > policydaemons and DNSBLs by at least 10 years. > > J. > Thank you for your responses. Is there anything I can do on my end? As far as the SMTP greeting banner? -- asai
From: Jeroen Geilman on 3 Jul 2010 17:22 On 07/03/2010 11:20 PM, Asai wrote: > Jeroen Geilman wrote: >> On 07/03/2010 09:14 PM, Charles Marcus wrote: >>> On 2010-07-02 7:20 PM, Asai wrote: >>>> OK. Has anyone successfully been able to work around this issue? >>> The only way is to have the admin for the CISCO PIX disable the stupid >>> smtp fixup garbage on the CISCO box. >>> >>> As far as I know, there is NEVER any reason to have this enabled on an >>> internet facing box that receives mail from 'wherever'... >>> >> >> "fixup protocol smtp" on a Cisco PIX firewall does several things: >> >> 1. it inspects every single SMTP packet it sees >> 2. it disallows all but the SMTP commands explicitly stated in RFC >> [8|28|53]21 >> and >> 3. it replaces the SMTP greeting banner with a generic one >> >> It is obviously the latter you have an issue with :) >> >> While I agree that it should never be enabled *by default*, it's >> hardly stupid, predating modern anti-spam measures such as >> policydaemons and DNSBLs by at least 10 years. >> >> J. >> > Thank you for your responses. > Is there anything I can do on my end? As far as the SMTP greeting > banner? > Have you already established that this is, in fact, the issue ? J.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 5 Prev: postfix architectural diagram Next: Postfix.org SPF |