Postfix and various CISCO PIX bugs

There was a huge discussion "PIX problems with DKIM header fields" on the postfix-users@postfix.org mailinglist recently. One of the symptoms observed was that sites behind a CISCO PIX with "esmtp protocol fixup" wouldn't accept DKIM-signed emails. The connection would simply been dropped during the DATA stage.

Jim Fenton of CISCO solved the riddle for us and wrote this:

There are three bugs (all resolved) relating to Content-Type issues:

CSCsh33982
(E)SMTP Multiple Content-Type headers check is wrong
CSCsi01498
ESMTP inspect cannot handle content-type string in DKIM headers
CSCdi23740
ESMTP inspect does not match content-type properly in mail headers

These bug fixes are all incorporated in version 7.2(2.19) and 8.0(2.7).

7.2(2.19) is available to registered users on cisco.com by clicking the "interim releases" link on the software download page. I'm still unsure of the availability of 8.0(2.7).

According to one of the bug descriptions, the message

SMTP: Multiple Content-Type headers!

will be logged if ESMTP debugging is enabled and this is the cause.

Heise.de published an article about this as well: Cisco PIX behindert authentifizierten Mail-Versand

And another Cisco PIX and ASA problem with inspection of a SMTP protocol (actually, parsing of a mail header section):

CSCsy28792
SMTP session disconnects due to improper parsing of a DKIM header field by ASA

Problem description:

SMTP session is disconnected during DATA phase of a SMTP transaction for mail messages with a DKIM signature, where the start of a string "content-type" or "content-transfer-encoding" in a tag's value of an "h" tag of a DKIM signature happens to fall on a packet boundary at a start of a packet. The session is dropped with the next packet containing a Content-Type or Content-Transfer-Encoding header field.

Platform:
ASA5580-40
Cisco Adaptive Security Appliance Software Version 8.1(2)

To be fixed in releases 8.1.2(22) and 8.1.3

© by Ralf Hildebrandt
This document contains links to external information sources that I do neither monitor nor control. I explicitly disclaim any liabilities in respect to external references.
You are getting this document without any guarantees. Any methods shown above are meant as demonstration and may be wrong in some place. You may damage your system if you try to follow my hints and instructions. You do this at your own risk!

This file was last modified 27. Apr 2009 by root