> So tuning off the "feature" [Cisco PIX SMTP fixup protocol] is the only
way to go?

As a Postfix sender, you can install the lastest snapshot, and your server
won't cause dups:

        Major changes with snapshot-20010610:
        This release includes a workaround for a bug in old versions of
        the CISCO PIX firewall software that caused mail to be resent
        repeatedly to systems behind such a product.

IMHO the person behing the Cisco PIX firewall ought to disable "SMTP fixup
protocol".
Or if they feel they have to leave it on, then to run PIX software version
5.2.4 or 5.2.5, and not 5.3.1.

Here's some notes I made on the subject for my own use:

=============================================
Problem with duplicate Internet email being sent:

Telnet to port 25 of the affected smtp server, and see if there is a
response that looks something like this:

220
************************************************************2***************
**********200************0200 *************************

If so, they are probably running a Cisco PIX firewall, which probably has a
bug in
it's software. This bug was patched in Cisco's version 5.2.4 and 5.2.5, but
apparently
still exists in older and newer versions, including 5.3.

Their immediate solution is to disable "SMTP Fixup Protocol" in their Cisco
PIX.

Here's an example canned message to sent to their administrators:

================================================================
Hello, re: your site smtp.truesouth.com [212.100.100.110]

It's appears that you are running a Cisco PIX firewall with
the "SMTP fixup protocol" enabled, and using an older version of
PIX software which has a bug in it.

The bug is causing Compaq's email servers (and possibly others)
to send multiple messages to your site.

To fix the problem, I'd suggest:

Disable the "SMTP fixup protocol" in the Cisco PIX configuration. This
will allow our email servers to speak SMTP (email protocol) directly
to your email servers instead of having the PIX intercept it and
fail. (We also use Cisco PIX's here, and have it disabled here.)

Then, upgrade your PIX software which fixes the bug. For reference,
go to the www.cisco.com web site and search for the keyword
CSCds90792, which is the Cisco bug number.

This bug was patched in the PIX software versions 5.2.4 and 5.2.5, but
apparently still exists in older and newer versions, including 5.3.1.

The exact symptom is:
Emails are getting sent multiple times to your site, until it finally
expires after 3 days on our site.

Our system sends the end-of-message SMTP protocol sequence, but doesn't
get a "message received" acknowledgment back from your system. The "bug"
requires that the entire end-of-message sequence be contained within the
same network packet, and not fragmented in multiple packets. Cisco's fix
allows it to be fragmented.

Since we handle about 30 million email messages a month, we've run
across this roblem with many Cisco PIX systems (including version 5.3(1),
and first
discovered iy on our own Cisco PIX's.

Most admins I've talked to have resolved the problem by just turning
off the "SMTP fixup protocol" feature in the PIX's. Turning the feature
off allows the email servers to communicate directly on SMTP port 25.
Turning the feature on, makes the PIX intercept the SMTP protocol
commands, and act as an intermediate relay.

Email is possibly more secure to have the PIX feature, if it worked. But we
just
couldn't use it here, it broke too much email. We run the "Postfix" email
transport
program under UNIX, which is very secure, and the Cisco fixup protocol just
got in the way.

I'd suggest that if you don't want to turn it off, that you ask Cisco if
a newer version of the PIX OS is available, with the patch applied.

-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]