Home | Comics | Gallery | wishlist | Donations | Impressum | The Book of Postfix | Postfix - Einrichtung, Betrieb und Wartung | Blog | |

Postfix and various CISCO PIX/ASA bugs

There was a huge discussion "PIX problems with DKIM header fields" on the postfix-users@postfix.org mailinglist recently. One of the symptoms observed was that sites behind a CISCO PIX or ASA with "esmtp protocol fixup" wouldn't accept DKIM-signed emails. The connection would simply be dropped during the DATA stage.

Jim Fenton of CISCO solved the riddle for us and wrote this:

There are three bugs (all resolved) relating to Content-Type issues:

These bug fixes are all incorporated in version 7.2(2.19) and 8.0(2.7).

7.2(2.19) is available to registered users on cisco.com by clicking the "interim releases" link on the software download page. I'm still unsure of the availability of 8.0(2.7).

According to one of the bug descriptions, the message SMTP: Multiple Content-Type headers! will be logged if ESMTP debugging is enabled and this is the cause.

Heise.de published an article about this as well: Cisco PIX behindert authentifizierten Mail-Versand

And another Cisco PIX and ASA problem with inspection of a SMTP protocol (actually, parsing of a mail header section):

Problem description:

SMTP session is disconnected during DATA phase of a SMTP transaction for mail messages with a DKIM signature, where the start of a string "content-type" or "content-transfer-encoding" in a tag's value of an "h" tag of a DKIM signature happens to fall on a packet boundary at a start of a packet. The session is dropped with the next packet containing a Content-Type or Content-Transfer-Encoding header field.

Cisco Adaptive Security Appliance Software Version 8.1(2)

To be fixed in releases 8.1.2(22) and 8.1.3

© by Ralf Hildebrandt
This document contains links to external information sources that I do neither monitor nor control. I explicitly disclaim any liabilities in respect to external references.
You are getting this document without any guarantees. Any methods shown above are meant as demonstration and may be wrong in some place. You may damage your system if you try to follow my hints and instructions. You do this at your own risk!

Valid HTML 4.01 Strict

This file was last modified 29. Mar 2013 by root