No announcement yet.

CISCO PIX Inspect ESMTP filter query

  • Filter
  • Time
  • Show
Clear All
new posts

  • CISCO PIX Inspect ESMTP filter query


    Got an odd problem here. Running Exchange 2003 behind a Pix V7.2(1)25.

    I have an SMTP connector set up between us and the head office on a separate domain (this allows various scripted emails to be relayed).

    With the ESMTP filter on some emails get stuck in the queue to the head office (both outbound and inbound too) an I think a few other domains may be affected too but most traffic is to head office.
    If I disable the ESMTP filter and force a connection in Exchange the queue clears. I'd be happy with the filter disabled but one scripted email looses it's formating when the ESMTP filter is disabled.

    The problem emails are delived okay but there is no subject line (in the Outlook subject) and it appears as though the raw email has been dumped into the message body as text- i.e. the message looks like this (XXXX'd out info for security, <notes added by me>);

    <this is the start of the email header>
    From: XXXX
    Sent: 23 July 2007 09:45
    Subject: <this is blank>

    <this is the main body of the email>
    To: XXXX
    Subject: <contains the proper subject here>
    Return-Path: XXXX
    Message-ID: XXXX
    X-OriginalArrivalTime: 23 Jul 2007 08:45:13.0463 (UTC) FILETIME=[C9081870:01C7CD05]
    Date: 23 Jul 2007 09:45:13 +0100

    <message body here is ok>

    I've got coders checking the script to ensure the mail formating is okay but what I don't understand is this;
    1) What does the ESMTP filter (when turned ON) do to the message that means it is delivered with correct formating? (or inversely why does the formatting go screwy when the filter is turned off!?)
    2) There's a particular daily scripted mail that seems to get stuck in the queue (I manually disable the filter briefly, force a connection and it goes through okay). Except one day last week it was delivered okay when the filter was on. It's a scripted mail so it should be the same every day so I don't understand why it got through once...any ideas?

    P.S. this problem seems to have occured since swapping out the V6 firewall for a new V7 one. Upgrading the firmware on the V7 seemed to clear out problems delivering to most external domains but still having the problems to the head office domain. I'm guessing the majority of mail to and from head office is working okay it's only a handful that get stuck. The V6 had fixup smtp 25 enabled with no probs (that ever got noticed!).

  • #2
    Re: CISCO PIX Inspect ESMTP filter query

    Hi chief,

    I don't have "the answer" for you on this but here are some comments that, perhaps, will help-

    I know that the PIX ESMTP filter, filters ESMTP mail to ensure that it is "valid" and "meeting the standards of ESMTP". (at least that is what I recall reading)

    Now, what system the PIXOS uses to do that (what rules & policies), I don't believe, are available for us to know.

    Obviously, Cisco has made some changes to this feature from one version to the next or else you wouldn't have this issue when you moved from PIXOS 6 to 7. Who knows, perhaps it would be fixed if you went to PIXOS 8.

    While there are the RFC's for ESMTP & SMTP, and the PIX is filtering based on that RFC (so they say), there are so many different email clients (and scripts) that may or may not really create mail that complies to the RFC.

    My point is that only Cisco can tell you why or why not something didn't get through and it may take a fair amount of work to look at the message, compare it to their code, an tell you.

    I have never used the application filtering on a PIX in a production env. because I was afraid of things like this. I have just tried to put in an email spam & virus filtering system instead. As much as I try to encourage people to use Cisco products and features because I think they are quality - I would suggest turning off this feature and fix the script email.

    I hope that was of some help.

    For your or anyone's reference, here is the PIXOS 7.2 doc on Application inspection for SMTP/ESMTP
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training - Free IT Training Products
    Personal Websites: &


    • #3
      Re: CISCO PIX Inspect ESMTP filter query

      Hmm, I wonder if there is a "debug application inspection" command of some type that would allow you to, real time, see what emails are getting allowed or denied.

      That would be cool but I don't know if it exists....
      David Davis - Petri Forums Moderator & Video Training Author
      Train Signal - The Global Leader in IT Video Training - Free IT Training Products
      Personal Websites: &


      • #4
        Re: CISCO PIX Inspect ESMTP filter query

        Hi, I'd forgotten about this post!

        This has been logged with Cisco and has been escalated.

        It also appears that the filter may have actually been blocking the faulty mails rather than fixing them (which makes a whole lot more sense).

        Still, now we'll see if Cisco can fix the problem!