Cannot send or receive e-mail messages behind a Cisco PIX firewall

You may experience one or more of the following behaviors:

• You cannot receive Internet-based e-mail messages.
• You cannot send e-mail messages with attachments.
• You cannot establish a telnet session with the Microsoft Exchange server on port 25.
• When you send an EHLO command to the Exchange server, you receive a "Command unrecognized" or an "OK" response.
• You cannot send or receive mail on specific domains.
• Problems with Post Office Protocol version 3 (POP3) authentication - 550 5.7.1 relaying denied from local server.
• Problems with duplicate e-mail messages being sent (sometimes five to six times).
• You receive duplicate incoming Simple Mail Transfer Protocol (SMTP) messages.
• Microsoft Outlook clients or Microsoft Outlook Express clients report an 0x800CCC79 error when trying to send e-mail.
• There are problems with binary mime (8bitmime). You receive the following text in a non-delivery report (NDR):
  554 5.6.1 Body type not supported by Remote Host.
• There are problems with missing or garbled attachments.
• There are problems with the link state routing between routing groups when a Cisco PIX firewall device is between the routing groups.
• The X-LINK2STATE verb is not passed.
• There are authentication problems between servers over a routing group connector.

This issue may occur in the following situation:

• The Exchange server is placed behind a Cisco PIX firewall device.
  
  -and-
• The PIX firewall has the Mailguard feature turned on.
• The Auth and Auth login commands (Extended Simple Mail Transfer Protocol [ESMTP] commands) are stripped by the firewall, and this makes the system think that you are relaying from a non-local domain.

To determine whether Mailguard is running on your Cisco PIX firewall, Telnet to the IP address of the MX record, and then verify whether the response looks similar to the following: For more information, visit the following Cisco Web sites: Note If you have an ESMTP server behind the PIX firewall, you may have to turn off the Mailguard feature to permit mail to flow correctly. Also, establishing a Telnet session to port 25 may not work with the fixup protocol smtp command, especially with a Telnet client that uses character mode.

Note Besides the Cisco PIX firewall, there are several firewall products that have SMTP Proxy capabilities that may produce the issues that are mentioned earlier in this article. The following is a list of firewall manufacturers whose products have SMTP Proxy features:

• Watchguard Firebox
• Checkpoint
• Raptor

For additional information, visit the Web sites listed in the "More Information" section.

Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Note A firewall is designed to help protect your computer from attack by malicious users or by malicious software such as viruses that use unsolicited incoming network traffic to attack your computer. Before you disable your firewall, you must disconnect your computer from all networks, including the Internet.

To resolve this issue, turn off the Mailguard feature of the PIX firewall.

Warning If you have an ESMTP server behind the PIX, you may have to turn off the Mailguard feature to make it possible for mail to correctly flow. If you use the Telnet command to port 25, this may not work with the fixup protocol smtp command, and this is more noticeable with a Telnet client that performs character mode.

To turn off the Mailguard feature of the PIX firewall:

1. Log on to the PIX firewall by establishing a telnet session or by using the console.
2. Type enable, and then press ENTER.
3. When you are prompted for your password, type your password, and then press ENTER.
4. Type configure terminal, and then press ENTER.
5. Type no fixup protocol smtp 25, and then press ENTER.
6. Type write memory, and then press ENTER.
7. Restart or reload the PIX firewall.

The PIX Software Mailguard feature (also called Mailhost in early versions) filters Simple Mail Transfer Protocol (SMTP) traffic. For PIX Software versions 4.0 and 4.1, the mailhost command is used to configure Mailguard. In PIX Software version 4.2 and later, the fixup protocol smtp 25 command is used.

Note You must also have static IP address assignments and conduit statements for your mail server.

When Mailguard is configured, Mailguard allows only the seven SMTP minimum-required commands as described in request for comment (RFC) 821, section 4.5.1. These seven required commands are the following: Other commands, such as KILL and WIZ are not forwarded to the mail server by the PIX firewall. Early versions of the PIX firewall return an "OK" response, even to commands that are blocked. This is intended to prevent an attacker from the knowledge that the commands have been blocked.

To view RFC 821, visit the following RFC Web site: All other commands are rejected with the "500 Command unrecognized" response.

On Cisco PIX firewalls with firmware versions 5.1 and later, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks except for the "2", "0", "0 " characters. Carriage return (CR) and linefeed (LF) characters are ignored. In version 4.4, all characters in the SMTP banner are converted to asterisks.

Test Mailguard for proper function

Because the Mailguard feature may return an "OK" response to all commands, it may be hard to determine whether it is active. To determine whether the Mailguard feature is blocking commands that are not valid, follow these steps.

Note The following steps are based on PIX software version 4.0 and 4.1. To test later versions of PIX software (version 4.2 and later), use the fixup protocol smtp 25 command and the appropriate static and conduit statements for your mail server.

With Mailguard turned off

1. On the PIX firewall, use the static and conduit commands to allow all hosts in on TCP port 25 (SMPT).
2. Establish a telnet session on the external interface of the PIX firewall on port 25.
3. Type a command that is not valid, and then press ENTER. For example, type goodmorning, and then press ENTER.
   
   You receive the following response:
   500 Command unrecognized.

With Mailguard turned on

1. Use the mailhost or the fixup protocol smtp 25 command to turn on the Mailguard feature on the external interface of the PIX firewall.
2. Establish a telnet session on the external interface of the PIX firewall on port 25.
3. Type a command that is not valid, and then press ENTER. For example, type goodmorning, and then press ENTER.
   
   You receive the following response:
   OK.

When the Mailguard feature is turned off, the mail server responds to the command that is not valid with the "500 Command unrecognized" message. However, when the Mailguard feature is turned on, the PIX firewall intercepts the command that is not valid, because the firewall passes only the seven minimum required SMTP commands. The PIX firewall responds with "OK" whether the command is valid or not.

By default, the PIX firewall blocks all outside connections from accessing inside hosts. Use the static, access-list, and access-group command statements to permit outside access. For additional information about these commands, visit the following Cisco Web site: For additional information about how to configure the Cisco PIX firewall, please visit the following Cisco Web sites:

For more information about firewall products that have SMTP Proxy capabilities, visit the following Web sites:The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.