Cisco PIX interferes with TLS (encrypted) Email

A few weeks back I had a call from one of my larger Kerio clients. After exchanging pleasantries, my customer asked "Say, why don't we do TLS?"

I paused, slightly confused. "I'm pretty sure you do", I said.

He responded sounded equally puzzled. "I thought so, too. What determines that?"

I thought for a second. "It should just happen automatically as long as both the sending and the receiving server recognize STARTTLS."

"Well, do we?"

I was confused again. "I think so", I answered. "I'm pretty sure I would have set you up that way originally - maybe something changed?". I asked him to take a look in the SMTP Server section of his Kerio configuration, specifically under the SMTP Delivery tab. I asked him to see if "Use SSL if supported by remote SMTP server" was checked as shown below.

Configuring TLS in Kerio Connect Mail Server

He said that it was. "Then you should be all set", I insisted.

"But it isn't working!", he retorted.

Ahh. I aked how he knew that and found that a customer of his had noticed this in their mail logs. As both my client and his customer are in the medical field and have to be concerned with HIPAA and other privacy regulations, and as the email that they were sending each other could contain personal information about patients, this was a serious problem.

So, we dug into the logs on our side and, sure enough, no encryption was taking place. As far as I could see, there was no attempt to do this at all. What the heck could be wrong?

I poked around a bit but couldn't figure anything out, so we bounced it on up to Kerio support. The initial response was very similar to my own: it must be working. It didn't take too much work to show that this was not the case, so we got the ticket escalated.

That engineer poked about and asked a few questions and then said "Oh, wait: I bet I know. Do you have a PIX firewall?"

Indeed they do. He then referred us to this Microsoft Knowledgebase article titled "Cannot send or receive e-mail messages behind a Cisco PIX firewall". When I first looked at that, I thought it couldn't be the problem, but the key is the word "may" in the sentence that says "You may experience one or more of the following behaviors:". Apparently Cisco PIX has this "Mailguard" fixup protocol that can cause all kinds of strange problems. You can turn it off with a simple "no fixup protocol smtp 25" in the Cisco config, so my customer tried that.

TLS started working immediately.

[15/Oct/2010 05:51:29][5764] {smtpc} Sending email to SMTP server
incoming.othersite.org, delivering mail from <[email protected]>
[15/Oct/2010 05:51:29][5764] {conn} Looking up host incoming.othersite.org
in DNS...
[15/Oct/2010 05:51:29][5764] {conn} DNS: host incoming.othersite.org
found, IP address xyz.xyz.xyz.xyz
[15/Oct/2010 05:51:29][5764] {smtpc} Connecting to xyz.xyz.xyz.xyz
(incoming.othersite.org)...
[15/Oct/2010 05:51:29][5764] {conn} Connecting to xyz.xyz.xyz.xyz:25...
[15/Oct/2010 05:51:29][5764] {smtpc} Connected to incoming.othersite.org
[15/Oct/2010 05:51:29][2968] {conn} SSL debug: id 060CA2B0 SSL3 alert
write:warning:close notify
[15/Oct/2010 05:51:29][5764] {smtpc} Received greeting: 220
incoming.othersite.org
[15/Oct/2010 05:51:29][5764] {smtpc} Sending EHLO
[15/Oct/2010 05:51:29][5764] {smtpc} Switching connection to TLS
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0 SSL handshake
started: before/connect initialization
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:before/connect initialization
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv2/v3 write client hello A
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv3 read server hello A
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv3 read server certificate A
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv3 read server done A
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv3 write client key exchange A
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv3 write change cipher spec A
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv3 write finished A
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv3 flush data
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv3 read server session ticket A
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0
SSL_connect:SSLv3 read finished A
[15/Oct/2010 05:51:29][5764] {conn} SSL debug: id 060CA2B0 SSL handshake
done: SSL negot
 

If you have a PIX Firewall, this is definitely something you should look at.

Cisco interferes with this because the encryption interferes with its ability to inspect packets - it can't tell what danger might be included. Newer PIX versions allow you to make an exception for TLS, but with the older versions your only choice is to shut off the fixup (or have no TLS mail).

See Cisco Firewall disabling TLS initiation by default and Allow TLS through ASA / PIX (SMTP fixup/ESMTP application inspection) for more on other ways to fix this.



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Cisco PIX Fixup protocol and TLS


5 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Thu Dec 2 22:05:49 2010: 9144   anonymous

gravatar


This is old news. Pix has had this functionality for years and many people disable it for this reason and more.





Thu Dec 2 22:16:43 2010: 9145   TonyLawrence

gravatar


It wasn't "old news" to him or me :-)



Thu Dec 9 15:55:14 2010: 9152   BradMartin

gravatar


It wasn't old news to me either. Extremely helpful discussion; saved me time and a tech call, Many thanks!



Thu Dec 9 16:01:44 2010: 9153   TonyLawrence

gravatar


Some people think that because they've known about an issue for a long time, everyone must. That's obviously untrue.

There is also the "Cisco" issue. I avoid that equipment whenever possible. It's good stuff, but it is overpriced and Cisco support techs charge WAY too much for their services. I never recommend Cisco to clients unless they just don't care about money.

However, other folks swear by it and of course they are much more likely to know about little things like this than the rest of us would be.

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Principles have no real force except when one is well-fed. (Mark Twain)

If you tell the truth you don't have to remember anything. (Mark Twain)








This post tagged: