Posted by redbeard on Wed 5 Apr 2006 at 09:26
I'm writing this article in hopes that it helps someone else, later. I just spent two days configuring my new e-mail server. It would have only been an afternoon if I'd know what I'm about to share.
My goal was to set a secure e-mail server that I could log into using SMTP over SSL (e.g. SMTP AUTH). I had Exim4 running on a Sarge box, but only local log ins and nothing else. First, I used Steve's article on setting up dovecot so I could use IMAP to access the mail from an external machine. I configured it to use only IMAPS. I tested it local using mutt. Then, I followed the directions (and comments) from HowTo Setup Basic SMTP AUTH in Exim4, by an anonymous author. Everything seemed to be good.
Now comes the good part. I opened up the ports on my Cisco PIX firewall (993 for IMAPS and 25 for SMTP). Then I connected using mutt via IMAP. This worked. Then I tried setting up Opera (no, it's not open source, but it's the best browser for me) to use my new e-mail server. IMAP worked fine. SMTP did not. I couldn't figure out how to use mutt to do SMTP to the new server (I haven't tried hard yet, but pointers would be happily accepted).
So, I tried a few TCP monitoring utilities until I finally settled in tcpick. On the mail server I watched for stuff from my outside client. On the client, I watched for the mail server. The server was sending a proper identification:
220 mailserver ESMTP Exim 4.52 Tue, 04 Apr 2006 14:17:01 -0500
But I was getting back things like:
220 *********************2******0******200*****02*****0*00
The firewall was killing everything except '2's and '0's! After I realized what was happening and did a quick Google search. It turned up the following question from Exim's FAQ:
Q0053: Exim on my host responds to a connection with 220 *****... and won't understand EHLO commands.
A0053: This is the sign of a Cisco Pix “Mailguard” sitting in front of your MTA. Pix breaks ESMTP and only does SMTP. It is a nuisance when you have a secure MTA running on your box. Something like “no fixup protocol smtp 25” in the Pix configuration is needed. It may be possible to do this by logging into the Pix (using telnet or ssh) and typing no fixup smtp to its console. (You may need to use other commands before or after to set up configuration mode and to activate a changed configuration. Consult your Pix documentation or expert.) See also Q0078.
I checked. My PIX did indeed have SMTP fixup turned on. I followed the above advice (enter no fixup protocol smtp 25 on the PIX) and voila! It worked like a charm. By the way, Q0078 is about the PIX changing the EHLO command into XXXX.
Once again, I hope this saves at least someone the headaches I had. While this article is specifically about Exim, I'm pretty sure it will hold true for all MTAs supporting ESMTP.
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2006 redbeard - please ask for permission to republish or translate.