Working around broken CISCO/PIX or ASA installations

Posted by Ralf Hildebrandt on 20 June 2011 | 0 Comments

Tags: , , ,

CISCOS's firewalls, predominantly the PIX and ASA have a feature called "smtp protocol fixup".

There's nothing to fix, yet some admins enable this feature, not knowing that it degrades performance and blocks legitimate mail - because the SMTP engine in the firewall doesn't correctly parse DKIM-Signature headers!

Great job, Cisco!

A workaround is to strip the DKIM-Signatur eheaders when sending to sites which expose this behaviour:

Jun 20 15:37:04 mail postfix/smtp[29987]: 3QyXw43YY0zFvnF:
 to=<v.marmol@skynet.be>, relay=in.mx.skynet.be[195.238.5.129]:25,
delay=1571, delays=1214/0.04/0.08/357, dsn=4.4.2, status=deferred (lost connection with in.mx.skynet.be[195.238.5.129] while sending end of data -- message may be sent more than once)
Jun 20 15:37:04 mail postfix/smtp[29987]: 3QyXw43YY0zFvnF:
 to=<...@skynet.be>, relay=in.mx.skynet.be[195.238.5.129]:25, 
delay=1571, delays=1214/0.04/0.08/357, dsn=4.4.2, status=deferred (lost connection with in.mx.skynet.be[195.238.5.129] while sending end of data -- message may be sent more than once)

In transport_maps I defined:

skynet.be               nodkim:

and in master.cf I defined a new transport:

nodkim    unix  -       -       -       -       -       smtp 
     -o smtp_header_checks=pcre:/etc/postfix/no_dkim.pcre

no_dkim.pcre contains the pattern used to identify the offending header:

/^DKIM-Signature:/  IGNORE

Post your comment

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments