How to solve SMTP-AUTH errors on Postfix (or any other mailserver) behind a Cisco PIX firewall

You have configured authentication on outgoing mail (SMTP-AUTH) on your mailserver (postfix, in this case) and it works great. But when you put it on production, the users complain because they can’t send emails.

What do you do? You try to follow the communication step by step. That is, you telnet to port 25 and follow step by step the authentication. The conversation goes like this (the lines beginning with “->” are written by me, without the “->” part):

[email protected]:~$ telnet smtp.example.com 25
Trying 1.2.3.4...
Connected to smtp.example.com.
Escape character is '^]'.
220 smtp.example.com ESMTP server ready
-> EHLO example.com
250-smtp.example.com
250 AUTH CRAM-MD5 DIGEST-MD5
-> AUTH FOOBAR
504 Unrecognized authentication type.
-> AUTH CRAM-MD5
334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=
-> ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ==
235 Authentication successful.


Everything is fine… Then you tell the customer to do the same, but he says he can’t see the line “220 smtp.example.com ESMTP server ready”, and he only sees a bunch of asterisks. You try it yourself, and it’s true… Plus, it doesn’t recognise the AUTH command!!


[email protected]:~$ telnet smtp.example.com 25
Trying 1.2.3.4...
Connected to smtp.example.com.
Escape character is '^]'.
220*******************************************************0*2******0***********************
2002*******2***0*00
-> EHLO example.com
250-smtp.example.com
250 AUTH CRAM-MD5 DIGEST-MD5
-> AUTH FOOBAR
500 5.5.2 Error: bad syntax
-> AUTH CRAM-MD5
500 5.5.2 Error: bad syntax

What’s going on? Why this difference? It seems the answer is pretty simple…

Cisco Systems puts on every PIX router a protocol to avoid attacks and increase security. These protocols intercept every command sent to the server ant translate them, as a proxy. This protocol is called MailGuard, and only accept basic SMTP command, not the extended ESMTP ones, making it incompatible with SMTP-AUTH. So the only way to make SMTP-AUTH work is to disable it.

That’s an easy thing to do, because the command is pretty simple, connected to the PIX telnet port:

no fixup protocol smtp 25
write mem

The difficult part is to realise someone is messing around communications… But once you’ve discovered it, problem solved!

Tomàs

Tomàs

I'll make something up