Mail Guard provides a safe conduit for Simple Mail Transfer
Protocol (SMTP) connections from the outside to an inside e-mail server
. Mail Guard
enables a mail server to be deployed within the internal network without it
being exposed to known security problems with some mail server
implementations.
When configured, Mail Guard allows only seven SMTP
commands as specified in RFC 821 section 4.5.1. These commands are HELO, MAIL,
RCPT, DATA, RSET, NOOP, and QUIT. Other commands, such as KILL, WIZ, and so
forth, are intercepted by the PIX Security Appliance and are never sent to the
mail server inside the network. The PIX responds with an OK even to denied
commands, so that attackers will not know that their attempts are being
thwarted.
By default, the PIX Security Appliance inspects port 25
connections for SMTP traffic. If there are SMTP servers on the network that are
using ports other than port 25, the fixup protocol smtp
command must be used to have the PIX inspect these other ports for SMTP
traffic.
Use the no fixup protocol smtp command to
disable the inspection of traffic on the indicated port for SMTP connections.
If the fixup protocol smtp command is not enabled for a
given port, then potential mail server vulnerabilities are exposed.
Using
the no fixup protocol smtp command without any arguments
causes the PIX Security Appliance to clear all previous fixup protocol
smtp assignments and set port 25 back as the default.