[69169] in North American Network Operators' Group
Re: disabling SMTP
daemon@ATHENA.MIT.EDU (Richard Welty)
Mon Mar 29 07:54:21 2004
Date: Mon, 29 Mar 2004 07:30:18 -0500 (EST)
From: Richard Welty <rwelty@averillpark.net>
To: nanog@merit.edu
In-Reply-To: <6.0.3.0.1.20040329071901.024cd818@pop.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 29 Mar 2004 07:20:47 -0500 Rob Nelson <ronelson@vt.edu> wrote:
> Richard Welty wrote:
> >when smtp fixup is on (default on many older pixes, i gather that there
> >may be some improvements on newer pixes), the smtp banner
> >is mostly obscured by * characters. the intent is a classic security
> >by obscurity play, to hide the type and verison of the MTA behind
> >the pix.
> Okay, so this is a problem when an SMTP server is hosted behind the PIX?
yes.
> I
> thought the fixup statements were for outbound connections, and with it on
> right now I get the full banner from SMTP servers. I don't host an SMTP
> server myself, so can't check that.
nope, they mangle inbound connections too.
in addition to the banner obscuration, i (and others) have seen patterns of
intermittant, arbitrary disconnections of SMTP sessions when fixup is turned
on. this is harder to diagnose, though, because there is a TCP bug in some
variants of Outlook that causes similar behavior. those of us running exim
as an MTA a couple of revs back had to patch our installs to work around
the Outlook TCP bug. i believe that patch is now permanently part of exim,
as it is unlikely that the Outlook bug will ever entirely go away.
richard
--
Richard Welty rwelty@averillpark.net
Averill Park Networking 518-573-7592
Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security