Configure Attack Guards on the PIX Security Appliance
Mail Guard

Mail Guard provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections from the outside to an inside e-mail server . Mail Guard enables a mail server to be deployed within the internal network without it being exposed to known security problems with some mail server implementations.

When configured, Mail Guard allows only seven SMTP commands as specified in RFC 821 section 4.5.1. These commands are HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. Other commands, such as KILL, WIZ, and so forth, are intercepted by the PIX Security Appliance and are never sent to the mail server inside the network. The PIX responds with an OK even to denied commands, so that attackers will not know that their attempts are being thwarted.

By default, the PIX Security Appliance inspects port 25 connections for SMTP traffic. If there are SMTP servers on the network that are using ports other than port 25, the fixup protocol smtp command must be used to have the PIX inspect these other ports for SMTP traffic.

Use the no fixup protocol smtp command to disable the inspection of traffic on the indicated port for SMTP connections. If the fixup protocol smtp command is not enabled for a given port, then potential mail server vulnerabilities are exposed.

Using the no fixup protocol smtp command without any arguments causes the PIX Security Appliance to clear all previous fixup protocol smtp assignments and set port 25 back as the default.


Web Links