CISCO PIX Firewall MailGuard feature causes problems with SMTP authentication and SMTP outbound TLS


SYMPTOMS

  • Mail clients return an error code as follows: 503 This mail server requires authentication. Please check your mail client settings.
  • Mail clients will not be able to relay through the SMTP Connector, even if they have correctly enabled it on the client and the server.
  • Routing outbound mail via the Cisco PIX Firewall will also cause issues with MailEnable SMTP outbound TLS option and connecting to a remote server over a secured connection. A symptom of this would be that you receive a bounce message containing errors stating that the remote mail server only supports encrypted connections over SSL or TLS. The MailEnable SMTP debug log file will report the following failure when the first attempt at connecting over TLS with the remote mail server. MailEnable will then fall back and send over non TLS which fail if the remote server requires sending over a secured connection:

"Failed to create outbound TLS connection. Message will be retried without TLS."

The Cisco PIX Firewall MailGuard feature interferes with this because the encryption interferes with its ability to inspect packets - it can't tell what danger might be included. Newer PIX versions allow you to make an exception for TLS, but with the older versions your only choice is to shut off the fixup (or have no TLS mail).

CAUSE

CISCO PIX Firewall.

RESOLUTION

Cisco's PIX firewalls implement a feature called MailGuard. When enabled this feature configures the firewall to run an SMTP proxy that intercepts SMTP requests. This SMTP proxy can cause problems with SMTP authentication.

The solution to this problem is to disable the mailguard feature for the firewall. More information on configuring the firewall is available at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml

MORE INFORMATION

Error '503 This mail server requires authentication': http://www.mailenable.com/kb/content/article.asp?ID=ME020135

How to configure the mail client when accessing MailEnable via POP and SMTP?: http://www.mailenable.com/kb/content/article.asp?ID=ME020198



Product:MailEnable (All Versions)
Category:Integration
Article:ME020159
Module:SMTP
Keywords:503,CISCO,PIX,authentication,firewall,unable,to,relay,cant,smtp
Class:PRB: Product Problem or Issue
Created:30/06/2003 8:56:00 PM
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable