CISCO PIX Firewall MailGuard feature causes problems with SMTP authentication and SMTP outbound TLS
SYMPTOMS
- Mail clients return an error code as follows: 503 This mail server requires authentication. Please check your mail client settings.
- Mail clients will not be able to relay through the SMTP Connector, even if they have correctly enabled it on the client and the server.
- Routing outbound mail via the Cisco PIX Firewall will also cause issues with MailEnable SMTP outbound TLS option and connecting to a remote server over a secured connection. A symptom of this would be that you receive a bounce message containing errors stating that the remote mail server only supports encrypted connections over SSL or TLS. The MailEnable SMTP debug log file will report the following failure when the first attempt at connecting over TLS with the remote mail server. MailEnable will then fall back and send over non TLS which fail if the remote server requires sending over a secured connection:
"Failed to create outbound TLS connection. Message will be retried without TLS."
The Cisco PIX Firewall MailGuard feature interferes with this because the encryption interferes with its ability to inspect packets - it can't tell what danger might be included. Newer PIX versions allow you to make an exception for TLS, but with the older versions your only choice is to shut off the fixup (or have no TLS mail).
CAUSE
CISCO PIX Firewall.
RESOLUTION
Cisco's PIX firewalls implement a feature called MailGuard. When enabled this feature configures the firewall to run an SMTP proxy that intercepts SMTP requests. This SMTP proxy can cause problems with SMTP authentication.
The solution to this problem is to disable the mailguard feature for the
firewall. More information on configuring the firewall is available
at:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml
MORE INFORMATION
Error '503 This mail server requires authentication': http://www.mailenable.com/kb/content/article.asp?ID=ME020135
How to configure the mail client when accessing MailEnable via POP and SMTP?: http://www.mailenable.com/kb/content/article.asp?ID=ME020198
| Product: | MailEnable (All Versions) |
| Category: | Integration |
| Article: | ME020159 |
| Module: | SMTP |
| Keywords: | 503,CISCO,PIX,authentication,firewall,unable,to,relay,cant,smtp |
| Class: | PRB: Product Problem or Issue |
| Created: | 30/06/2003 8:56:00 PM |
| Revised: | Wednesday, May 4, 2016 |
| Author: | MailEnable |
| Publisher: | MailEnable |
- Mail Server
- Overview
- Features
- Comparisons
- Solutions
- Product Editions
- Feature Matrix
- Webmail Demo
- Video Gallery
- Migrate To MailEnable
- Testimonials